Android browser SOP bypass bug: Who’s affected, and what to do?
A security researcher has recently discovered not just one but two vulnerabilities in the Android Open Source Project (AOSP) browser that could allow attackers to bypass the software’s Same-Origin Policy (SOP) security control and get their hands on users’ confidential data and session cookies.
Up until the latest version of Android (v4.4, i.e. KitKat), the browser came installed by default. In KitKat, it has been replaced with Chrome, and the flaw has been fixed.
According to the numbers provided by mobile security firm Lookout, around 45 percent of their users have a vulnerable version of the AOSP browser installed.
The percentages differ wildly when the numbers are grouped by country. 81 percent of Japanese users have the vulnerable browser, 73 percent in Spain, around 60 percent in France and Germany, and as little as 34 percent in the US. These numbers can be explained by the fact that the average age of phones is much lower in the US than in these other countries.
The numbers do not say what percentage of users actually use the browser in question, but according to Rapid7 engineer Tod Beardsley, the AOSP browser is still very popular, even on modern devices used by sophisticated users who prefer it over Chrome, Firefox, or other browsers.
Also, many lower-end prepaid phones from major manufacturers and carriers still ship with pre-4.4 builds of Android and the AOSP browser, he noted.
Given that researcher Rafay Baloch has released proof-of-concept exploit for the bugs, and Rapid7 has released a Metasploit module that takes advantage of the first flaw, its probable that some attackers are already mounting low-key attacks in the wild.
Fortunately, users can easily avoid being compromised: they can upgrade to Android KitKat, or switch to using another browser for the time being (and make sure to set it as the default browser for opening links).