Google (NASDAQ: GOOG) is working on a patch to fix a flaw in the Android operating system that would allow a malicious website to obtain the contents of any file stored on the device's SD card.

Security researcher Thomas Cannon discovered the vulnerability and said that it could also be exploited to retrieve some data and files stored on the phone itself. Cannon notified Google of the discovery and agreed to withhold details of the flaw while Google develops a fix.

In general, the vulnerability has to do with the way Android saves downloaded files--always in the same location. By using JavaScript, an attacker would be able to automatically open any downloaded file. The exploiter would need to know the name of the file but many applications typically save files with the same name.

"Once the JavaScript has the contents of a file it can post it back to the malicious website," said Cannon. "This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort."

Google plans to patch the problem with its upcoming Gingerbread Android 2.3 maintenance release.

But that likely won't solve the problem for older devices, warned Chester Wisniewski, senior security adviser with Sophos Canada. Because of memory limitations, older versions can't run the latest version of Android. These devices include the HTC Dream and the Motorola Devour.

Wisniewski advises that users don't use the built-in Android browser. "For now the only option is to choose third-party applications that are updated through the Android Market instead of using the embedded applications." He recommends Opera Mobile or Firefox 4 portable, which is currently in Beta.

For more:
- see this InformationWeek article

Related Articles:
Survey: Majority of companies don't authenticate mobile devices
Adobe warns: Critical Flash flaw under active attack
Smartphones: The next big security threat