Google plugs Google Admin app sandbox bypass 0-day

After having had some trouble with fixing a sandbox bypass vulnerability in the Google Admin Android app, the Google Security team has finally released on Friday an update that plugs the hole.

Google Admin is an app that lets administrators of Google for Work products manage accounts on-the-go.

MWR Labs researcher Rob Miller discovered earlier this year that it had a security flaw that allowed other applications on the device to bypass Android sandbox restrictions, and read data out of any file within the Google Admin sandbox.

“An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device,” MWR Labs explained. “The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox.”

Google has been notified of the existence of the flaw almost immediately, but it took the company’s security team nearly five months to push out a fix – a lot more than their usual self-imposed 90 day deadline for fixing flaws.

MWR Labs finally disclosed the bug’s technical details in an advisory published on Thursday, advising users to steer clear of untrusted third party applications until a patch is pushed out.