Thomas Cannon, a security researcher, made news last month when he discovered a vulnerability on the Android OS that could make its devices susceptible to data theft. After finding the threat, Cannon alerted Google. In his blog, Cannon points out, “responsible disclosure would normally prevent me from publishing the advisory while there is a chance the users will get a fix in a reasonable time frame. However, despite the speed at which Google has worked to develop a patch I don’t believe this can happen. The reason is that Android OS updates usually rely on OEMs and carriers to provide an update for their devices.”
VPN Haus speaks with Cannon about his thoughts on Google’s patch, what it means for the future of the Android OS, and the open platform.
VPN Haus: The Android vulnerability that allows malicious Websites to access contents stored on the SD card occurred for a multiple reasons, including because the Android browser doesn’t show prompts before it downloads a file or opens an HTML file. Is this vulnerability unique to the Android or could this kind of attack happen to any mobile device?
Thomas Cannon: I had to leverage multiple weaknesses to create an actual exploit, and some of those weaknesses are present on other platforms, but the crux of the attack is due to the way Android applications share data with each other using URIs. Google’s implementation is a clever approach but relies on application developers to set permissions correctly. One of the built-in components didn’t have the correct permissions and I was able use this. Because applications have complete access to the SD Card, it only takes one weak application to expose the contents of the card or other files via a URI. So far I have only seen this particular approach on Android. On iOS for instance, I’ve found the data segregation to be more restricted.
VPN Haus: From your standpoint, would you say their initial patch was an adequate fix? What would they need to make the fix for Android 2.3 (Gingerbread) solid? (Feel free to keep this high-level for security reasons)
Cannon: The initial patch does address the exploit as presented but doesn’t seek to address all underlying issues. To fully address this issue it will take more work as it is complicated by applications which rely on some of the behavior we are exploiting. Google are aware of this and their approach seems sensible in my opinion. They have a patch which protects users from the immediate threat while they look at the wider issue.
Next week, we’ll talk to Cannon about Google’s response, enterprise security concerns for the Android, and the challenge for issuing security patches for mobile devices .