Friday, January 28, 2011

Find: Our professor Jiang just found an Android vulnerability





Android version 2.3 contains a data leak vulnerability, similar to that found in previous versions.
A computer security researcher at NC State University, Xuxian Jiang, has identified a security vulnerability in the latest version of Google Android, version 2.3, also known as Gingerbread. The vulnerability gives attackers access to user data – similar to a vulnerability identified in previous iterations of Android, which Google thought it had fixed with the latest version.
Basically, simply by clicking on a link, Android users may give attackers access to personal information. If exploited, the vulnerability would allow a malicious Web site to read and upload the contents of any file stored on the phone’s microSD (memory) card. Information on the SD card could include saved voicemails, photos or online banking data.
The vulnerability would also allow attackers to find out all of the applications installed on a phone, and upload many of the applications onto a remote server – including all built-in applications.
Jiang, who discovered the vulnerability when working on an Android-related research project, has confirmed the vulnerability using Gingerbread being run on a Nexus S phone.
A similar vulnerability was reported on earlier versions of Android phones, leading Google to make changes in Gingerbread designed to address the flaw. However, Jiang has found that the Gingerbread fix can be bypassed.
So, what can be done to mitigate the vulnerability? The simplest way to protect your information is to remove or disable the SD card in your phone. However, that will leave you unable to save voice mail or photos. You could also disable the JavaScript function in your browser. But that would affect your ability to access online content. Another option is to switch to a third-party browser, such as Firefox.
Now that this information is out there, programmers can begin to develop means of addressing the vulnerability.

1 comment: