Exposed Android Data Stealing 

While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card. It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.

The vulnerability is present because of a combination of factors. I’ve been asked nicely to remove some details from the following section, and as my intention is to inform people about the risk, not about how to exploit users, I’ve agreed:

• The Android browser doesn’t prompt the user when downloading a file, for example "payload.html", it automatically downloads to /sdcard/download/payload.html
• It is possible, using JavaScript, to get this payload to automatically open, causing the browser to render the local file.
• When opening an HTML file within this local context, the Android browser will run JavaScript without prompting the user.
• While in this local context, the JavaScript is able to read the contents of files (and other data). One limiting factor of this exploit is that you have to know the name and path of the file you want to steal. However, a number of applications store data with consistent names on the SD card, and pictures taken on the camera are stored with a consistent naming convention too. It is also not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system, only those on the SD card and a limited number of others.

Procedure: how the attacker gain access to the android phone is shown in the figure

The vulnerability appears to affect all versions of Android, including the current version 2.2. The Android security team has been informed about this vulnerability.