Half of all Android devices still vulnerable to 'privacy disaster' browser bug

If you're not running KitKat, you're probably still exposed to an Android browser bug that seriously threatens to undermine your privacy while browsing the web.
Written by Liam Tung, Contributing Writer

Over a month ago Google released patches for bugs affecting the built-in browser on all pre-KitKat devices, yet today half of all Android devices remain vulnerable, according to mobile security vendor Lookout.

The same origin policy (SOP) bug in the browser that ships with all versions of below Android 4.4 illustrates yet again the patching problem in Android — often caused by slow-to-respond handset makers and carriers.

In early September security researcher Rafay Baloch discovered two bugs in the Android Open Source Project (AOSP) browser — called Browser in Android 4.3 and earlier — that meant it failed to enforce SOP. As Google notes, SOP is "perhaps the most important security concept within modern browsers" that's meant to securely govern how content from multiple domains is handled in a browser.

At the time, Todd Beardsley, a researcher with security firm Rapid 7, described the bug as a "privacy disaster", explaining that "any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page". The bug also allowed an attacker to hijack a web session by stealing a session cookie.

Since the affected browser ships with all pre-KitKat versions of Android (Google dropped the browser in Android 4.4), it would mean that around 75 percent of all Android users with the Google Play app could be exposed to such an attack, according to Google's figures.

Google released patches for the two flaws shortly after researchers built an exploit for the bug and added it to the penetration testing framework Metasploit.

Despite a patch being available, carriers and handset makers often take their time to distribute that patch in a firmware update to end users. To make matters worse, other browsers built using the ASOP browser were also affected, including Samsung's browser as well as two others available on Google Play

According to Lookout, whose Android security product has been installed on up to 100 million smartphones, the problem is worse in some countries than others. For example, in Japan, 81 percent of its users are running the vulnerable browser, while across Europe the figure is around 60 percent. In the US, 34 percent of Lookout users have it installed.

"Phones in those regions may receive updates less frequently, thus they are more likely to be vulnerable. The US, on the other hand, has a lower risk because the average age of phones is also much lower. Therefore, fewer of them are vulnerable," Lookout's Jeremy Linden and Meghan Kelly wrote in a blog post.

"Unless and until the AOSP browser is patched, people using it could be exposed to data theft or worse as a malicious attacker with access to an authenticated user session could take any action the user would on that site."

While they advise users running Android 4.3 to update to KitKat, as many Android users will know that's not always possible. The other option if an update isn't possible is to buy a newer device.

As per the advice from security experts at the time, the safest option is to disable the default Android browser since it's unlikely it can be uninstalled. After doing this, people should install an unaffected browser, such as Chrome or Firefox.

Read more on Android

Editorial standards