Researchers identified a vulnerability in the Google Admin application for Android that could have been exploited to read arbitrary files from the app’s sandbox. Google says it has released an update to patch the flaw.
The Google Admin application for Android is designed to allow administrators to manage their Google for Work accounts from their mobile devices. Admins of Google Apps for Work, Education, Google Coordinate, and Government can use the app to add and manage users, contact support, and view their organization’s audit logs.
Researchers discovered a medium severity vulnerability that allows malicious applications installed on the same device as Google Admin to bypass the Android sandbox and read data from any file within Admin’s sandbox.
The issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox. The flaw was reported to Google in mid-March. The company noted in its advisory that the search giant had not released an update to patch the vulnerability.
However, Google says it has released an update for Google Admin to address the flaw . The company is not aware of any attacks leveraging this security hole.
“We thank the researchers for flagging this to us. We have addressed the issue in the Google Admin app and the fix has been released. In order for this issue to occur, a malicious app would need to be installed on the device. As far as we know, no one has been affected,” a Google spokesperson told .