Just recently back in early September, security researcher Rafay Baloch discovered a bug in Android’s stock web browser which caused it to fail to enforce same origin policy (SOP). In simple terms, this means that the browser is not capable of securely loading content from multiple sources. The bug impacted ALL pre-Kitkat devices, and thankfully, was patched fairly quickly by Google. As security researcher Tod Beardsley described it, what this bug actually did was allow any website (supposedly controlled by a spammer or spy) to peek into the content of other web pages. For example, suppose you visited an attacker’s site while in another tab and had your email open. With this bug, the attacker could easily scrape all your email data and see exactly what your browser sees.
The bug still affects all pre-Kitkat devices unfortunately, as Google dropped the browser in Android 4.4. Even then, security experts Lookout reported that the bug still affects 45% of Android devices running Lookout software. And this is likely a very good estimated guess, as Lookout’s software is currently in use on more than 100 million devices. According to folks at Lookout, the issue is an “glaringly obvious one” and will probably never be fixed by the manufacturer. So, the question most of you might have in your minds: what can I do to prevent such an issue happening on my device? Well, there are a few precautions you can take:
The safest option is to disable the default Android browser since it’s likely that it can be uninstalled. This can be done in the Application Manager for Android. Upgrade your device’s Android OS to Android 4.4 or later. Anything that is older than 4.4 is vulnerable to this bug. If you can’t upgrade your OS, it might be time to pick up a new device, seeing how much damage this bug can cause. Switch to either Chrome or Firefox browser on your Android device, as they are updated regularly and unaffected by this bug. Make sure to set these browsers as the default, too.
Be sure to let us know what you think of this bug in the Comments below.
