Update on Android Vulnerability
In many ways I concluded the Android Data Stealing advisory not long after I’d released it. The media interest and resulting debates achieved what I’d hoped, which was to warn users and put some focus on the issue of poor update frequencies for Android devices. A few interesting things have happened since the release, however, and I wanted to round them up into an update post.
- Google released a patch for the specific exploit I created.
- The patch won’t be rolled out until some time after Android 2.3 as originally advised. Users may then have to wait for their device manufacturer and carrier to get the update to them. Some customers, such as those who own shiny new (and expensive) Sony Xperia X10 phones, won’t ever be getting an official update.
- Pulser, a developer from the group VillainROM who make custom Android ROMs, confirmed that the fix was ported into the Froyo Cyanogenmod sources. This means that many users of custom ROMs are already protected. Pulser/VillainROM were the only people to get in touch regarding the safety of their end users and how to protect them, kudos to them!
- jduck contacted me about writing an exploit, and subsequently developed it into a Metasploit module. Read his great blog post about it.
- Ludovic Courgnaud from CONIX Security developed an exploit for the vulnerability to demonstrate his XSSF module for Metasploit. He wrote a post about it (in French) along with an absolutely fantastic video demo. He really pushed the limits of what is possible with this simple vulnerability.
And that is pretty much it. For future reference I’ve listed below a small selection of articles or bulletins about it that I thought were worth saving:
SecurityFocus | Heise | Android Police | PC World | The Inquirer | The Register | Maximum PC | Der Standard | SoftPedia | Slashdot | Sophos | Lookout | Information Week