Metasploit gave Google a bit of a roast yesterday.

They accuse the software giant of failing to protect users by delaying a fix for a vulnerability (announced last November) and putting it only into Android 2.3 (the “Gingerbread” release).

A fix for what, you may ask:

Perhaps the easiest win though, is that you can grab anything off of the SD card. You might ask, “Anything?! What about the user separation?” Well, because the SD card has been formatted with the “vfat” (aka “fat32”) file system, there is no concept of ownership. All files are owned by the same user id since the file system itself cannot encapsulate who created which file. As Thomas said, files in the SD card that have predictable names are ripe for the picking. This includes pictures and movies. These may in fact be some of the most private data on your device.

Android 2.3 is currently only on 0.4% of Android phones.