An Android security flaw has been identified which, if exploited, could allow unauthorized access to data saved on a user’s memory card and, in some cases, on the device’s own storage. Spotted by Thomas Cannon, there are certain limitations to the exploit – hackers must know the name of the files they wish to steal, not terribly difficult if you’re dealing with system-named files like photos – but already the Android security team are cooking up a fix.

The Android browser doesn’t prompt the user when downloading a file, for example “payload.html”, it automatically downloads to /sdcard/download/payload.html

It is possible, using JavaScript, to get this payload to automatically open, causing the browser to render the local file.

When opening an HTML file within this local context, the Android browser will run JavaScript without prompting the user.

While in this local context, the JavaScript is able to read the contents of files (and other data).

The flaw has been independently verified by Heise.de, and Google says it will be rolling a fix into Android 2.3 Gingerbread. That could be released as soon as December 6 2010. Until then, be wary of unexpected downloads or HTML code in emails from users you don’t know.

[vimeo]http://vimeo.com/17030639[/vimeo]

[via rigelt]