Are you yet to upgrade to Android 4.4 KitKat? Here’s something that might give you a bit of encouragement to make the switch: a serious issue with the stock browser on pre-KitKat phones has been discovered, and it could allow malicious websites to access the data of other websites. Sounds scary? Here’s what you need to know
Security researchers are desperately worried by this, with Rapid7 – the makers of the popular security testing framework, Metasploit – describing it as a ‘privacy nightmare’. Curious about how it works, why you should be worried, and what you can do about it? Read on for more.
A Basic Security Principle: Bypassed
This policy has been a foundation of web application security, ever since it was first introduced in 1995 with Netscape Navigator 2. Every single web browser has implemented this policy, as a fundamental security feature, and as a result it is incredibly rare to see such a vulnerability in the wild.
For more information on how SOP works, you may wish to watch the above video. This was taken at an OWASP (Open Web App Security Project) event in Germany, and is one of the best explanations of the protocol I’ve seen so far.
When a browser is vulnerable to a SOP bypass attack, there’s a lot of room for damage. An attacker could feasibly do anything, from use the location API introduced with the HTML5 spec to find out where a victim is located, all the way to stealing cookies.
Fortunately, most browser developers take this kind of attack seriously. Which makes it all the more noteworthy to see such an attack ‘in the wild’.
How The Attack Works
So, we know Same Origin Polity is important. And we know that a massive failing of the stock Android browser can potentially lead to attackers circumventing this crucial security measure? But how does it work?
Well, the proof of concept given by Rafay Baloch looks a bit like this:
So, what do we have here? Well, there’s an iFrame. This is a HTML element that is used to allow websites to embed another web page within another web page. They’re not used as much as they used to be, largely because they’re an SEO nightmare. However, you still often find them from time to time, and they’re still a part of the HTML specification, and have not yet been deprecated.
What Can Be Done?
Users have a few options here. Firstly, stop using the stock Android browser. It’s old, it’s insecure and there are far more compelling options in the market right now. Google has released Chrome for Android (although, only for devices running Ice Cream Sandwich and up), and there’s even mobile variants of Firefox and Opera available.
Firefox Mobile in particular is worth paying attention to. In addition to offering an amazing browsing experience, it also allows you to run applications for Mozilla’s own mobile operating system, Firefox OS, as well as install a wealth of awesome add-ons.
Finally, if possible, you’d be encouraged to update your Android browser to the latest version, in addition to installing the latest version of the Android operating system. This ensures that should Google release a fix for this bug further down the line, you are protected.
Although, it’s worth noting that there are rumblings that this issue could potentially hit users of Android 4.4 KitKat. However, nothing has emerged that is sufficiently substantial for me to advise readers to switch browsers.
A Major Privacy Bug
Make no mistake, this is a major smartphone security issue. However, by switching to a different browser, you become virtually invulnerable. However, a number of questions remain about the overall security of the Android operating system.
Will you be switching to something a bit more secure, like super-secure iOS or (my favorite) Blackberry 10? Or perhaps will you be staying loyal to Android, and installing a secure ROM like Paranoid Android or Omirom? Or perhaps you’re not even that worried.
Let’s chat about it. The comments box is below. I can’t wait to hear your thoughts.