Over the past month, Rafay Baloch, a security researcher, has been investigating two lingering vulnerabilities in the built-in Web browser of Android devices, and security vendor Lookout conducted a study that indicates an alarming data: nearly half or 45 percent of devices running Google’s mobile operating system are susceptible to the flaw.
Security experts say the browser flaw – referring to the Android Open Source Project browser – permits attackers to circumvent the fundamental security perimeter called same-origin policy that is inherent in all browsers. How does SOP work? The security tool works to ensure that the scripts from a certain domain do not interact with information that is loaded from a different domain.
Otherwise, hackers will be able to create a barely noticeable iframe of popular pages such as that of Facebook or Google and lure unsuspecting users into visiting those pages so that they can carry out their nefarious plan. They could then hijack your session on a specific website, which will eventually give attackers the opportunity to view your session data such as email content and Facebook messages, or any other private content.
According to Baloch, Android versions affected by the SOP vulnerabilities include those older than Android 4.4, which according to Google, represents 75 percent of all Android devices worldwide. The exception of Android 4.4 is due to the fact that its default browser is Google Chrome instead of the AOSP which is found in older versions of the operating system.
Thankfully the problem is not so much that alarming because Google already rolled out fixes for those vulnerabilities. The only problem remaining now is how each device vendor would apply those patches on their respective products.
But because the Android firmware updates have been varying depending on a manufacturer, the device in question and country, it will certainly be an onerous task. Local carriers in each country also have work to do in order to distribute the over-the-air updates.
Lookout also released data about the two vulnerabilities that the firm collected from other parts of the globe. In Japan, 81 percent of Lookout users are vulnerable to the AOSP bypass flaw, and it is currently installed in their mobile devices. In the United States, only 34 percent have the vulnerable version of the software installed in their gadgets while 51 percent in United Kingdom.
The inconsistent distribution of the AOSP vulnerability is quite puzzling, but could be attributed to the less frequent release of updates in some territories, according to Lookout.