peshkova - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Android browser security: How can AOSP browser flaws be fixed?

While Google fixed the issue on its Android OS, many browsers still fall victim to a known same-origin bypass AOSP browser flaw. Expert Michael Cobb discusses how to avoid the risk.

A flaw in the Android browser, which Google no longer supports, was recently discovered that allows attackers to steal user data from the application. Google already patched the vulnerability for Chrome, which is now the default browser for Android devices, but the Android browser still sits on many devices. What is the best way to mitigate this issue?

Security researcher Rafay Baloch discovered a same-origin policy bypass vulnerability in Android browser versions prior to 4.4 that allows an attacker to steal data from the sites opened in different tabs of a user's browser. The vulnerability, CVE-2014-6041, exploits the way the Android function that's responsible for loading frame URLs handles JavaScript.

The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin. It permits scripts running on pages originating from the same site to access each other's Document Object Model with no specific restrictions, but prevents access to DOM on other sites. So, for example, the JavaScript from one origin should not be able to access the properties of a website on another origin. A strict separation between content provided by unrelated sites must be maintained on the client side to prevent the loss of data confidentiality or integrity. Two pages have the same origin if the protocol, port and host are the same for both pages. It's an important concept in the Web application security model as it prevents some types of cross-site request forgery attacks.

Researchers from security firm Rapid7 Inc. found that Android Open Source Project browsers shipped with versions of the operating system prior to Android 4.4 (KitKat) are affected; Google replaced the AOSP browser with its Chrome browser in Android 4.4. This means approximately 75% of the fragmented Android ecosystem is affected, and it appears a fix has only been rolled out for Android 4.1 - 4.3, leaving earlier versions unpatched. Also, other browsers that are based on AOSP's code -- such as Samsung's browser -- also contain this flaw.

Users will have to wait for device vendors to import patches and release firmware updates. The timeframe for this to happen can vary greatly among manufacturers, devices and even countries as local carriers play a role in the distribution of over-the-air updates.

Enterprises should ensure all devices are upgraded to the latest version that doesn't contain the Android browser security vulnerability. Devices that can't be upgraded should be retired and replaced. If this is not an option, install the Chrome browser, as it's not affected. Be sure to make Chrome the default browser for opening links to prevent other apps from using the vulnerable browser which unfortunately can't be uninstalled.

This is a serious vulnerability as it could lead to an attacker stealing session cookies and hijacking a user's session completely, so administrators should look to mitigate this risk as soon as possible.

Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)

Next Steps

Get SearchSecurity's latest tips and advice on Web browser security.

This was last published in April 2015

Dig Deeper on Mobile security threats and prevention