Researchers have found significant security vulnerabilities in nearly a dozen alternative Android Web browsers, highlighting the risks browsers pose to enterprise Android users as a variety of little-known mobile browsers gain popularity.
Security researchers at Atlanta-based VerSprite LLC have been studying a number of common attack vectors against 10 of the most popular alternative Android browsers available in the Google Play Store, based on number of downloads and overall user rating. VerSprite found that all 10 of the browsers fell victim to at least one of the vulnerabilities studied.
Specifically, VerSprite found the alternative browsers to be vulnerable to SQL injection, allowing attackers to capture bookmarks and browsing history. VerSprite used intent fuzzing to find browsers that had vulnerabilities in exported broadcast receivers. In these browsers, sending an empty intent would cause a NullPointerException and lead to the browser crashing. Browsers were also found to store OAuth tokens for Facebook and Twitter sessions, as well as passwords in plain text.
VerSprite lead security researcher Benjamin Watson declined to provide specifics as to how many browsers were affected or if the flaws were limited to certain Android versions, noting that the company's testing is still ongoing. Watson also declined to release the full list of names of the browsers it tested, because the team is trying to work with developers of the browsers to fix any found vulnerabilities before releasing the details, though VerSprite confirmed that it has already helped foster a fix for an intent URL-handling flaw in the Baidu Browser.
Watson noted that the team steered away from major browsers like Chrome, Firefox and Opera because those apps have already been thoroughly researched, but so-called alternative browsers historically haven't received the same level of scrutiny from security researchers, even though they have been downloaded millions of times by users around the globe. A search of the Google Play Store showed browsers including UC Browser, CM Browser, Dolphin Browser, One Browser, Maxthon, Baidu and Puffin raking among the most popular alternative Android browsers.
VerSprite's research has focused on a variety of dangerous vulnerabilities, including browsers that stored hard-coded encryption keys for encrypted data that might be synced with the cloud. VerSprite was able to reverse-engineer the encryption algorithm from the hard-coded key and decrypt some of that data on the device, which could include device ID information or other information that could be used after decryption to access user data from the browser's cloud storage.
As of February, Google's official numbers said that Android 4.3 and older versions made up 58.7% of the Android ecosystem, and Watson said that one of the four Android browsers tested was still vulnerable to this exploit, with tests of six other browsers still pending.
Intent URL scheme vulnerability
The most widespread vulnerability that VerSprite has been researching is in connection with Android's intent URL scheme. Google's lead for Android Security, Adrian Ludwig, said in an interview with SearchSecurity that the goal of the intent URL function is to make it possible for Web-based applications to interact with installed apps.
"This is what allows for smooth transitions between applications," said Ludwig, "like being able to tap a link in a browser and have it open a social profile in the related Android app on a device."
Watson agreed that there is immense value in the intent scheme functionality, but warned that the value did not come without risk. He described a remote attack technique that leverages the intent URL scheme to target specific components from the browser and enable a malicious actor to steal authentication data, cookies and potentially data from other apps on the device, if those apps allow.
Benjamin WatsonVerSprite lead security researcher
"I think the ability to use the scheme to call other components within your app by its nature is a great feature," said Watson, "but this feature without proper understanding of the potential for abuse can turn into a vulnerability."
Watson has said that half of the 10 browsers tested were found to be vulnerable to this attack, occurring on all versions of Android. VerSprite has already worked with the Baidu Browser team to fix the issue in its app. Watson said all major Android browsers support the intent URL scheme because of how useful it is within the platform, but developers don't necessarily know the best ways to protect user data when implementing the functionality.
Ludwig said that security checks need to be in place any time there's communication among different browser components. He noted that the default is that Android applications are not enabled to receive content from the intent scheme, so developers must make apps browsable, acknowledging and accepting the risk associated with the function and that the app can handle intents properly.
Ludwig also said that the default in WebView is to not send intent objects to an application, but that ultimately, it is up to the browser to check these settings before sending things along.
"It's relatively simple to check if something is browsable before sending it," Ludqwig said, "but the browser may not check if the app is browsable. In this case, directed intents targeted at your own application route to something not browsable and not exported."
Watson said that there are dozens, if not hundreds, of broadly used alternative browsers found in the Play Store that could contain the same vulnerabilities described above. Many of these browsers do not have more than a few thousand downloads, but Watson expressed concern about these flaws recurring in the development of future mobile browsers, putting many more users at risk.
Watson said that the most frustrating part of finding these vulnerabilities in so many alternative browsers is that it is relatively easy for developers to protect users against them. For example, he noted that a white paper on intent vulnerabilities from Tokyo-based Mitsui Bussan Secure Directions Inc. that shows what is needed for browser developers to filter malicious intents, and the mitigation consists of a mere four lines of code.
Watson said this is where alternative Android browsers often fail. Half of the browsers tested by VerSprite did not check before parsing intents. Additionally, Watson said that while the default is for Android apps to not receive intents, leaving this as the default handing method will severely limit functionality when a developer is building a browser.
"The problem is that developers still need to be aware of parsing URIs into WebViews," said Watson, "and the nature of malicious Intents and Intent-based attacks via the scheme."
According to Ludwig, Google does have extensive Android documentation, and reaches out to developers when researchers find apps with vulnerabilities. He also said that all apps submitted to Google Play are automatically scanned for potential security issues. However, these scans don't look for smaller-scale issues like the intent scheme vulnerabilities, which only affect a limited number of apps.
"The automatic scans will check for apps that use out-of-date libraries or apps that don't do cryptochecks," Ludwig said. "These targets give us something to focus on and allow us to find risks in a broad range of apps."
Watson said that despite the Android documentation, too often developers are not aware of these vulnerabilities and how to protect users, leading to user data being put at risk.
"It may not be systemic, but it is certainly a topic that needs to be brought into the open," Watson said. "The security community knows about these vectors and how they are attacked, but developers don't. If more browsers are released into the Play Store with these vulnerabilities and gain popularity, millions more users could be at risk."
Learn how to balance BYOD risks and rewards.