A recent study revealed that many alternative Android browsers pose multiple security risks. What are the issues...
surrounding alternative browsers, and what is the best way to prevent our organization's BYOD employees from using them?
Despite Android devices having a preinstalled browser, many users like to install a browser of their own choice. Browsers from major vendors like Firefox and Opera are available for Android, but so too are dozens of so-called "alternative browsers" -- such as UC Browser, Dolphin Browser, Maxthon and Puffin -- which have been downloaded millions of times by users around the world. Some browsers are considered faster or have more customizable features than the built-in browser, while others minimize bandwidth consumption for those concerned about roaming charges.
Worryingly, for enterprises operating BYOD environments, research by VerSprite Inc. on 10 of the most popular alternative Android browsers available in the Google Play Store found at least one major security vulnerability in each of them. Vulnerabilities included SQL injection, storing OAuth tokens and passwords in plaintext, and insecure use of the intent URL function. These potentially serious flaws put data on the device at risk and are mainly due to poor coding by the teams that developed the alternative browsers.
For example, the most widespread vulnerability found by VerSprite is related to Android's intent functionality. The purpose of the intent URL function is to make it possible for Web-based applications to interact with installed apps, such as tapping a link in a browser and having it open a social profile in the related Android app on the device. While a useful feature, if it's not implemented correctly, it can be leveraged by hackers to steal authentication data, cookies and data from other apps on the device. While there is ample documentation available on how to correctly implement intent URL functionality -- and it only takes four lines of code to filter malicious intents -- developers are clearly not taking the time to understand the potential vulnerabilities certain functions can introduce and how best to protect their users.
Another problem is developers need to ensure their code works as expected on an ever-increasing number of Android devices; a 2014 survey by OpenSignal Inc. identified 18,796 unique Android devices using its software. Combine this diversity of devices with the various versions of Android that users are running and you have a very fragmented ecosystem.
This fragmentation also presents a problem to administrators trying to keep enterprise networks and data secure while allowing employees to bring their own devices. BYOD policies should encourage employees to keep their devices up to date, particularly given Google's decision to no longer provide security patches for WebView vulnerabilities on devices running Android Jelly Bean (4.3) or earlier. (WebView is a core component of the Android operating system used to render Web-based content.) Given the security issues raised by VerSprite's research, BYOD policies should state which alternative browsers are acceptable to be used as the device's default browser and block network access to devices using unapproved browsers.
Having an innovative community of developers is important for creating new products and offering users choices, but innovation has to include security. Mozilla Firefox and Google Chrome browsers downloadable from Google Play may not be flawless, but security is very much part of the mature software development process practiced by their creators. Even so, enterprises should always risk assess software accessing corporate resources, particularly software from new or unknown developers.
Ask the Expert
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Check out expert reviews of 12 Andriod browsers
Google Play's security features, Verify Apps and Safety Net, keep Android users safe
Mitigate bring your own device risks with a BYOD security policy
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
An ad network used domain generation algorithms to bypass ad blockers and launch cryptomining malware. Expert Michael Cobb explains how and the best ... Continue Reading
Researchers at Duo Security discovered a SAML vulnerability that enabled attackers to dupe single sign-on systems. Expert Michael Cobb explains how ... Continue Reading
Hackers were able to exploit a Telegram vulnerability to launch cryptomining malware. Expert Michael Cobb explains how they were able to do so and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.