The Android platform has taken the world by storm in recent years. It was announced at Google’s recent 2014 I/O developer conference that over 538 million Android devices are currently in use worldwide. Android has now leapfrogged Apple’s iOS in the US, where it currently has almost 52% of the smartphone market share.
But this popular mobile OS also has a questionable security record with many reported vulnerabilities. A major security flaw has been exposed in the Android Open Source Platform (AOSP) browser, which is used by more than a fifth of the world’s smartphone users. This issue, exposed by security expert Rafay Baloch, can lead to the dreaded cookie theft.
Google has replaced the vulnerable WebKit-browser with its newer Chrome browser in versions Jelly Bean 4.2 and above. But the AOSP browser, which is the default browser in Android Jelly Bean, Gingerbread and Froyo (versions 4.1 and below), is endangering millions of mobile/tablet users to this very day.
More about the vulnerability in the AOSP browser.
This vulnerability revolves around Same Origin Policy (SOP), a security mechanism that lies in the heart of every browser. The feature makes sure that scripts can read or interact only with webpage elements from the same origin as the script. This is verified by checking parameters like security protocols (HTTP/HTTPS) and port numbers.
The vulnerable AOSP browser allows the malicious attacker to bypass the SOP security mechanism. For example, a secure browser should be able to prevent malicious script from infected websites to access legal websites and applications. This is not the case in the AOSP browser, where the SOP can be bypassed to steal the victim’s cookie.
“Once the SOP is breached, many standard protection mechanisms such as Anti-XSS and Anti-CSRF become useless, making the end-user completely vulnerable,” says Checkmarx CTO Maty Siman. “Many mobile applications are written in HTML5 [not native] and run in the context of the web-browser, making them vulnerable also.”
For example, the lack of SOP mechanism can allow a malicious website/application to embed an HTML iframe of the victim’s banking website and perform actions on his behalf, without his prior knowledge or consent.
Related: 10 Commandments of Android Safety
Why is the AOSP browser vulnerability tough to deal with?
The aforementioned security issue is worsened by the diverse version fragmentation of the Android platform. This OS segmentation has led to numerous loopholes, which are expected to intensify later this year with Google’s upcoming Android L software version. The current breakdown, accurate for 11 Sep, 2014, looks like this:
Mobile browser usage patterns updated for August, 2014.
For example, fixing a KitKat vulnerability won’t solve the issue in the Ice Cream Sandwich or Jelly Bean versions. This problem is magnified by the complex patching process. Even when security updates are released by Google, handset manufacturers and mobile vendors don’t always implement them in their customized ROMs.
Latest mobile usage research shows that more than 20% of the smartphone users worldwide still use the vulnerable AOSP browser and are currently in direct danger of being victims of cookie/privacy theft.
What can be done to combat the AOSP browser vulnerability?
Google initially claimed that it couldn’t reproduce the problem and binned the report. But it officially acknowledged the vulnerability when the findings went public and is currently working on a security patch. Unfortunately, the fix will be only partially effective due to the version fragmentation and customized ROM problems.
The immediate step all Jelly Bean, Ginger Bread and Froyo versions Android users should take is avoid the built-in AOSP browser in their devices. Alternate options are available for free in the Google Play Store and should be preferred over the default WebKit one. Leading alternatives include Chrome, Safari and Opera Mini.
Checkmarx CTO Maty Siman talking about the SOP security mechanism.
Developers are also advised to implement Checkmarx’s CxSuite Source Code Analysis (SCA) solution to produce secure code with minimal vulnerabilities and eventually steer clear of various security issues.
To learn more on how Checkmarx helps in detecting AOSP browser vulnerabilities – Contact Us
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.