Android version 2.3 contains a data leak vulnerability, similar to that found in previous versions.
A computer security researcher at NC State University, Xuxian Jiang, has identified a security vulnerability in the latest version of Google Android, version 2.3, also known as Gingerbread. The vulnerability gives attackers access to user data – similar to a vulnerability identified in previous iterations of Android, which Google thought it had fixed with the latest version.
Basically, simply by clicking on a link, Android users may give attackers access to personal information. If exploited, the vulnerability would allow a malicious Web site to read and upload the contents of any file stored on the phone’s microSD (memory) card. Information on the SD card could include saved voicemails, photos or online banking data.
The vulnerability would also allow attackers to find out all of the applications installed on a phone, and upload many of the applications onto a remote server – including all built-in applications.
Jiang, who discovered the vulnerability when working on an Android-related research project, has confirmed the vulnerability using Gingerbread being run on a Nexus S phone.
A similar vulnerability was reported on earlier versions of Android phones, leading Google to make changes in Gingerbread designed to address the flaw. However, Jiang has found that the Gingerbread fix can be bypassed.
Now that this information is out there, programmers can begin to develop means of addressing the vulnerability.
Not desiring to let this myth fester unopposed, Google decided to take on the critics by enlightening them on how Android is designed.
The Nexus S, like the Nexus One before it, is designed to allow enthusiasts to install custom operating systems. Allowing your own boot image on a pure Nexus S is as simple as running
fastboot oem unlock. It should be no surprise that modifying the operating system can give you root access to your phone. Hopefully that’s just the beginning of the changes you might make. [...]
Android has a strong security strategy, backed by a solid implementation. By default, all Android applications are sandboxed from each other, helping to ensure that a malicious or buggy application cannot interfere with another. All applications are required to declare the permissions they use, ensuring the user is in control of the information they share. And yes, we aggressively fix known security holes, including those that can be used for rooting. Our peers in the security community have recognized our contribution to mobile security, and for that, we are extremely grateful.
Stay tuned for more updates!