Mayur's Posterous

This is why Gingerbread is delayed for Nexus One owners.

Android 2.3 (Gingerbread) Data Stealing Vulnerability

By Xuxian Jiang, Assistant Professor, Department of Computer Science, NC State University
While working on an Android-related research project, I came across a data stealing vulnerability in Android 2.3 (Gingerbread). This vulnerability is of the same nature with the one reported by Thomas Cannon during last November on Android 2.2 (Froyo). That particular bug is supposed to be fixed in Android 2.3 (Gingerbread) -- see the links here, here, here, and there.

Unfortunately, our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone. The attack works by requiring the user to visit a malicious link. Based on the experiments with one of our Nexus S phones, we have leveraged the vulnerability to

  • Obtain the list of applications that are currently installed in the phone;
  • Upload the applications (located in /system and /sdcard partitions) to a remote server;
  • Read and upload the contents of any file (including photos, saved voicemails...) stored on the phone's /sdcard. Note that to do that, the exact pathname/filename needs to be known.

I notified the Google Android Security Team on 01/26/2011 and was pleased/impressed to receive their response within 10 minutes. After that, we exchanged emails, including a critical piece of exploit code, to better understand the nature of the vulnerability. From the interaction, I can tell that they took this issue seriously and the investigation was started immediately without any delay. Also, I need to mention that this attack is not a root exploit, meaning it still runs within the Android sandbox and cannot grab all files on the system (only those on the /sdcard and a limited number of others).

The vulnerability is now confirmed and I was told that an ultimate fix will be included no later than the next major release of Android. We are not aware of any active exploitation of this issue.

For responsible disclosure, I will not publish the details of the vulnerability until an ultimate fix is out. However, I would like to share the common intention by informing users about the potential risk (and absolutely NOT about how to exploit), which is the reason why I created this webpage.

Before the ultimate fix is out, there are several ways we can take to mitigate this threat. For example, we can temporarily disable Javascript support in the Android browser or switch to a third-party browser for the time being (e.g., Firefox). We can also choose to unmount the /sdcard. But that may greatly affect the usability of the phone. Users are also encouraged to be cautious when viewing unfamiliar websites.

Finally, I'd like to thank Nick from the Android Security Team for verifying the presence of this vulnerability and keeping me informed as this fix progresses. 

Related links:

Last modified: Janurary 28th, 2011

 

Posted

Android Event 02-02-2011 explaining Honeycomb features using a Xoom

 

Posted

The new Sony Ericsson Xperia™ PLAY. Android is ready to play

Posted

My Nook Color runs Android 3.0 a.k.a. Honeycomb.

First off, a big thank you to everyone who sent me all those links when this exciting news broke out!

I still can't believe that I'm running a brand new generation of Android (N1 owners still waiting for "official" 2.3 Gingerbread to release). When Honeycomb was first shown at CES, I had read a lot of reports that there will be specific hardware requirements and that you couldn't just brute force run 3.0 on any device, especially not on my $250 e-reader. The UI for 3.0 is very much Tron-esque and ... shiny :D

Although this is an early release of Honeycomb, the graphics run smooth on my device. I've attached a short video showing the ripple effect of the lock screen.

Some more pictures from bootup to a few menu options including Settings and Recently Used (multi-tasking) menus.

Media_httpiimgurcomxa_zeanc

Media_httpiimgurcomee_uatek

Media_httpiimgurcom93_ppjvy

Media_httpiimgurcomr3_hgtun

Media_httpiimgurcomam_teqyk

Media_httpiimgurcomdb_futxd

Media_httpiimgurcomjd_bhxlf

Media_httpiimgurcomar_necco

Media_httpiimgurcomov_mqpzu

Media_httpiimgurcomja_oecbm

Media_httpiimgurcombz_pkhna

I <3 the Android Community.
Posted

Notion Ink's Adam tablet Promo

via Pradeep

Posted

Motorola ATRIX Promo (official video)

Phandroid posts that this will be sold for $600 without a contract.

I <3 the future.

Posted

Gingerbread "Screen Off" animation

This video shows what happens when you turn your screen off in Gingerbread.

Posted

Flip Phone – Smartphone Concept running Android by Kristian Ulrich Larsen » Yanko Design

How many “flips” does it take to make your Smartphone super-sexy. The answer? Three flexible AMOLED touchscreens and a keyboard on the reverse! Here’s what the Flip Phone feels like: a smart triangular piece held together with soft steel mesh hinges, hosting a custom flavor of Android.The boundaries of a PC and phone have smudged-up big time and this is a sample of what that future looks like. I love it!

Sexy concept phone and runs Android - what else do you need?

 

Posted

Zeitgeist 2010: Year in Review

Posted

Nexus One will be the first handset to get Gingerbread | Geekword - Technology Blog

Want more evidence of Gingerbread going live this week? Then stay right here as we have got the stuff you are looking for. A tweet from Alvaro Fuentes Vasquez who happens to be an effective member of Open Handset Alliance has strengthen the rumor of Google releasing Gingerbread during the course of this week, possibly on 11th October as rumored earlier.

 

Here’s a translated version of the tweet:

Prepare your Nexus One (Developer version) for Android OTA update 2.3 (Gingerbread) in the next few days:-D

I just wonder if the mention of the Google’s first Android flagship device, Nexus One strengthens the claims of Samsung manufactured Nexus Two launch being delayed owing to hardware failure. Having said that Nexus One owners out there will be extremely happy upon hearing this news.

 

Posted