Android 2.3 Gingerbread security flaw reveals microSD contents to attackers

Android Froyo and Gingerbread

Android Froyo and Gingerbread

Xuxian Jiang, a computer security researcher at the North Carolina State University, has identified a security flaw in Android 2.3 Gingerbread. The vulnerability provides access to the microSD card and applications directory on Android 2.3 handsets By clicking on a link, malicious code on a website could access the data on a microSD card including voicemail, photos, and other saved data. Once scanned, these files can be uploaded to a remote server. In a similar manner, the vulnerability also lets attackers scan and upload the installed and built-in applications on a handset. The vulnerability was discovered as part of a research project and was confirmed using a Nexus S running Android 2.3 Gingerbread.

To avoid being compromised by this exploit in wild, Gingerbread users can remove or disable their microSD card, but this preventive measure may prohibit you from saving photos or voicemails to your phone. You can also disable JavaScript in the built-in Android browser, but you may not be able to view certain websites that require JavaScript to function properly. The last and perhaps the least disruptive preventive measure, is to switch to a third-party browser like Firefox.

Google has recently fixed a troubling SMS bug that led to SMS messages being sent to the wrong contact. A fix was put in place that corrected the SMS issue but, according to Jiang, this can be easily bypassed. eWeek has examined this issue and confirmed that Google is working on a solution to block this hole. As of the writing of this post, there is no official confirmation from Google on when this vulnerability will be fixed.

[Via North Carolina State, Engadget, eWeek]

  • GaryN

    Noticed this was posted on a Blackberry web page. Blackberry must be running scared if they have to talk about the competition on a strictly Blackberry site.

  • david1171

    The Nexus S isn’t even compatible with microSD cards….

  • Bustedflywheel

    Nexus s doesn’t even have a micro sd slot. How can someone access something that even the user has no access to. Scare tactics…..failed.

  • Kaichunlin

    The built-in memory functions as the SD card (for app compatibility reason), it’s just that the user cannot change it.

  • CJ

    The sms fix “can easily be bypassed”?! Do these people have a clue about what they are talking about? Just get some monkeys and put them in front of typewriters!

  • Some

    It is gay and doesn’t make sense…

Back to top ▴