DOC RABE Media - Fotolia
A recent study revealed that many alternative Android browsers pose multiple security risks. What are the issues surrounding alternative browsers, and what is the best way to prevent our organization's BYOD employees from using them?
Despite Android devices having a preinstalled browser, many users like to install a browser of their own choice. Browsers from major vendors like Firefox and Opera are available for Android, but so too are dozens of so-called "alternative browsers" -- such as UC Browser, Dolphin Browser, Maxthon and Puffin -- which have been downloaded millions of times by users around the world. Some browsers are considered faster or have more customizable features than the built-in browser, while others minimize bandwidth consumption for those concerned about roaming charges.
Worryingly, for enterprises operating BYOD environments, research by VerSprite Inc. on 10 of the most popular alternative Android browsers available in the Google Play Store found at least one major security vulnerability in each of them. Vulnerabilities included SQL injection, storing OAuth tokens and passwords in plaintext, and insecure use of the intent URL function. These potentially serious flaws put data on the device at risk and are mainly due to poor coding by the teams that developed the alternative browsers.
For example, the most widespread vulnerability found by VerSprite is related to Android's intent functionality. The purpose of the intent URL function is to make it possible for Web-based applications to interact with installed apps, such as tapping a link in a browser and having it open a social profile in the related Android app on the device. While a useful feature, if it's not implemented correctly, it can be leveraged by hackers to steal authentication data, cookies and data from other apps on the device. While there is ample documentation available on how to correctly implement intent URL functionality -- and it only takes four lines of code to filter malicious intents -- developers are clearly not taking the time to understand the potential vulnerabilities certain functions can introduce and how best to protect their users.
Another problem is developers need to ensure their code works as expected on an ever-increasing number of Android devices; a 2014 survey by OpenSignal Inc. identified 18,796 unique Android devices using its software. Combine this diversity of devices with the various versions of Android that users are running and you have a very fragmented ecosystem.
This fragmentation also presents a problem to administrators trying to keep enterprise networks and data secure while allowing employees to bring their own devices. BYOD policies should encourage employees to keep their devices up to date, particularly given Google's decision to no longer provide security patches for WebView vulnerabilities on devices running Android Jelly Bean (4.3) or earlier. (WebView is a core component of the Android operating system used to render Web-based content.) Given the security issues raised by VerSprite's research, BYOD policies should state which alternative browsers are acceptable to be used as the device's default browser and block network access to devices using unapproved browsers.
Having an innovative community of developers is important for creating new products and offering users choices, but innovation has to include security. Mozilla Firefox and Google Chrome browsers downloadable from Google Play may not be flawless, but security is very much part of the mature software development process practiced by their creators. Even so, enterprises should always risk assess software accessing corporate resources, particularly software from new or unknown developers.
Ask the Expert
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Check out expert reviews of 12 Andriod browsers
Google Play's security features, Verify Apps and Safety Net, keep Android users safe
Mitigate bring your own device risks with a BYOD security policy
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
A technique called Process Doppelgänging was used by the SynAck ransomware to bypass security software. Expert Michael Cobb explains how this ... Continue Reading
A Telegram malware called Telegrab targets Telegram's desktop instant messaging service to collect and exfiltrate cache data. Expert Michael Cobb ... Continue Reading
Android P integrates Android Protected Confirmation, which provides sufficient trust in the authentication process. Learn more about this new feature... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.