Thursday 18 September 2014

Major AOSP browser flaw could compromise nearly half of all Android devices

Major AOSP browser flaw could compromise nearly half of all Android devices
A new security bug in the Android Browser could have massive implications on Android users. Though the bug was reported last month by researcher Rafay Baloch, it has come to the fore only now.
In a blogpost, Security Street Rapid7 calls the bug a ‘privacy disaster.’ It is capable of allowing a hacker to “load” javascript into any arbitrary frame or window. The blog explains, “What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”
With a large number of users relying on the browser, the widespread is quite likely. It must be noted that the attack is possible only on the stock AOSP browser which is the legacy browser used by many OEMs, despite Chrome being available. All new Google devices such as the Nexus series, Android One range and even some Motorola phones use Chrome as the only browser out of the box. A report by ArsTechnica points out,”As our monthly look at Web browser usage shows, Android Browser has a little more real-world usage than Chrome for Android, with something like 40-50 percent of Android users using the flawed browser. The Android Browser is likely to be embedded in third-party products, too, and some Android users have even installed it on their Android 4.4 phones because for one reason or another they prefer it to Chrome.”
Since it is a stock Android app, one cannot really uninstall it, unless you have sideloaded it like Ars Technica says above. However, Sophos Security points out that one can choose check the disable option. In its blogpost, the security firm states, “Stop using Browser if you have it installed. You’ll know you have it by going  to Settings/Apps/All and looking for its tell-tale icon. You almost certainly can’t uninstall it, because it’s usually part of the operating system build itself, meaning it doesn’t show up under  Settings/Apps/Downloaded. But if you tap on the Browser option from the All apps page, you should see a Disable button instead of Uninstall.”
If you have a rooted device, uninstalling the Browser is possible, and is highly recommended. For now, if you cannot root your phone, it’s best to not use the browser at all, and go with a third-party alternative. Wondering which one to pick? Why not have a look at our extensive comparison of the major Android browsers.
Posted by : Gizmeon

No comments:

Post a Comment