A security officer has stumbled across a serious vulnerability in the built-in browser of Android smartphones that might allow hackers to lift data from SD cards in the Google handsets.
It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability, as explained in an advisory and video here.
Cannon has gone public ahead of a update to the Android OS he reckons will be necessary to fix the problem in order to warns users of the risk. He was keen to stress he has no anti-Android axe to grind, going so far as to praise Google for its handling of the issue this far.
"Google's response so far has been excellent," Cannon said. "I would not release an advisory while there is a chance that users will be able to receive a patch in a reasonable time frame. However in this case I don't believe they will be able to.
"This is not because of Google's response process, but because of the way handsets have to receive OS updates from manufacturers. I therefore believe it better that users are given a chance to protect themselves at an early opportunity, or at least understand the risks," he said.
In a statement, a Google spokesman acknowledged the problem and said it was in the process of developing and releasing a patch.
We've developed a fix for an issue in the Android browser that could, under certain circumstances, allow for accessing files on a user's SD card. We're working to issue the fix to our partners and open source Android.
Google's security team told Cannon that they are aiming for a fix to go into Gingerbread maintenance release. "They don't have a time frame for OEMs to release the update though, which is an issue, as that is the weak link," he added. ®