Skip to navigation
Latest News

Google fails to fix Android flaw

Nexus S
 
Gallery

By Nicole Kobie

Posted on 31 Jan 2011 at 09:07

The latest version of Google Android has failed to fully fix a previously noted flaw.

The vulnerability was first discovered in Android 2.2 last year, and Google promised to patch it in the next version. However, a researcher has revealed the hole still exists in 2.3 on Google's own Nexus S handset.

"Unfortunately, our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed," wrote Xuxian Jiang, a assistant professor at NC State University.

Our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed

"We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone," he said.

If a user is tricked into visiting a malicious site, the flaw could let hackers view any files stored on the SDcard, as well as view a list of apps and upload them to a remote server.

Jiang noted that because Android is sandboxed, the attack can only access a few files other than those on an SDcard.

The researcher said he had seen no attacks using the flaw yet, and noted Google has again promised a fix will be included in the next major release of the mobile OS.

In the meantime, the flaw can be avoided by disabling JavaScript support in the Android browser, or simply by using a third-party browser.

Despite Google's failure to fix the flaw the first time around, Jiang praised the company for its quick response. "From the interaction, I can tell that it took this issue seriously and the investigation was started immediately without any delay."

A spokesperson for Google said: "We've incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone. We're in communication with our partners."

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here

From around the web

User comments

Ironic that Google was once upon a time the Road Map that showed you how to get places and its now become merely the Advertising Billboards you pass on your journey - with one exception: in real life, anyone with an interesting place to look at gets paid for having the ads. Not on an Android phone though - apparently developers are having problems selling their apps on the devices and all their presence seems to be doing is helping suck more people onto the Android ad platform.

Do no evil?

By SwissMac on 31 Jan 2011

Don't worry I won't come back here!

Of course we all know you're an apple troll - its in the nick SwissMac - Should really be Swiss Cheese - I won't insult you.

Google release a lot of stuff for free - shit I don't think I have so far paid them a single currency unit yet.

They have in many ways spurred the internet forward - opening up niches for all. They have expanded in so many areas. They do no evil.

Apple on the other hand remind me of the Church of Scientology - many people brainwashed and zombified into buying their worthless crap - Apple are Evil - and they really are enjoying their huge iPhone sales based on stolen technology (Nokia)

By nicomo on 31 Jan 2011

Leave a comment

You need to Login or Register to comment.

(optional)

Office 365: A complete Guide

advertisement

More From PC Pro
Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
SIGN UP

Your email:

Your password:

remember me

Create an account

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.