A serious Android bug is on the loose that some experts are saying could result in a privacy disaster. This bug, found in the pre-Android 4.4 browser app, evades the Android Open Source Platform (AOSP) browser's Same-Origin Policy (SOP) browser security.
What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window -- the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
AOSP is an old browser; one that Google doesn’t support any more, because it has been replaced by Chrome. But in a world where folks stubbornly stayed with Windows XP even after Microsoft warned it was cutting support, you know that being old and unsupported doesn’t mean it’s completely obsolete. Approximately 75 percent of browsers are pre-4.4 Android systems, many of them the 4.2 Jelly Bean OS, which are in lower end (aka cheap or pay-as-you-go) devices.
There is a remarkably simple solution to avoid being a victim of this vulnerability – don’t use the AOSP browser if it is installed on your device. That, of course, is much easier said than done because people will use what they like and what they are accustomed to using. In fact, according to SC Magazine, it is often the preferred Android browser for tech savvy users. In an interview with Beardsley, SC Magazine reported:
“The Android Open Source Platform browser generally has a reputation of working much faster,” Beardsley told SCMagazine.com. “People get it because it's a stripped-down browser. But I looked at about five or six Google results pages on how to get it on your phone, and none of them mention that it's no longer supported [by Google],” he said.
For companies that utilize BYOD, it’s important to give the heads up to employees who may be using pre-4.4 versions of Android. As Dennis Fisher pointed out in a ThreatPost blog, this bug was first revealed several weeks ago, but it has been floating under the radar. Company data is potentially at risk if employees are using devices with older versions of Android and favor AOSP as their browser or don’t know that it contains a bug.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba