In the last month we’ve learned about two vulnerabilities that affect the Android Open Source Project browser. The issue, however, is a widespread one, that touches more than just AOSP’s browser, but also derivative browsers that are based on AOSP’s code, such as Samsung’s browser. The issue is actually fairly widespread in our userbase. Around 45% of Lookout users have a vulnerable version of the AOSP browser installed. It should be noted that these users may have a separate browser, such as the Chrome or Firefox browser, installed. However, unless and until the AOSP browser is patched, people using it could be exposed to data theft or worse as a malicious attacker with access to an authenticated user session could take any action the user would on that site. We believe our userbase offers a good look at how Android users overall are being affected by vulnerabilities such as this one. Our country-by-country data reveals some surprising stats about where people are most vulnerable. Japan is the most vulnerable with 81% of Lookout users in the region with the unsafe browser installed. Spain takes second place with 73%. Phones in those regions may receive updates less frequently, thus they are more likely to be vulnerable. The U.S., on the other hand, has a lower risk because the average age of phones is also much lower. Therefore, fewer of them are vulnerable.
Researcher Rafay Baloch found vulnerable two separate “same-origin policy” (SOP) bugs in AOSP’s browser in September (you can see first CVE-2014-6041 here). The vulnerabilities affect Android versions 4.3 and earlier. Google replaced the AOSP browser with the more modern (and more feature-rich) Chrome Browser in Android 4.4, so updated users need not worry. The same-origin policy (SOP) is a cornerstone of web browser security. It states that scripts on one domain are only able to interact with data from that domain, not any others. To understand this, take the example of a web page that loads content from more than one website onto one page. For example, a website that pulls Facebook data into the webpage you're visiting. Depending on what websites are being intermingled, you might mix one untrusted site and another sensitive website (such as your email). If the SOP is working correctly, the untrusted site must "play in its own sandbox" and cannot access any sensitive data from the user's webmail. However, if the untrusted site can somehow bypass SOP, it is able to interact with the DOM of the trusted site, and read or even send email as the user. The glaring issue should be obvious.
There are steps you can take now, however, to keep your data safe when browsing the Internet:
- If you’re running Android 4.3 or older, upgrade! Later Android versions are not susceptible.
- If you have a phone that does not have the option to update to a newer Android OS version, unfortunately you may need to upgrade your device to a newer, more readily patched version.
- Download the Chrome or Firefox browser. This is both a more modern and more feature-rich browser that is not affected by the vulnerability.
- Make the Chrome or Firefox browser your default for opening links - that way you don’t have to worry about apps using a vulnerable browser.
Here are instructions on how to install the Chrome browser on your Android device*:
- Go to Google Play and download the Chrome or Firefox app
- Install the Chome or Firefox app like you would any other application from Google Play
- Go to your settings
- Go to the “apps menu” or the “application manager”
- View “all apps” in the app menu
- Select the AOSP browser (on most phones this will likely be called “Internet”)
- Tap “clear default”
- The next time you click on a URL, your phone will ask you which application it should open with. Make sure to select the new browser you recently downloaded, and check the “always” box so it remembers your choice for next time.
*Some Android phones may follow a different, but similar process.