What Is the Android Browser Security Bug
Android Security Bug has been found by the independent security researcher Rafay Baloch and is affecting 50 % of the Android users. The security bug has been found in the Android Browser app, which allows one website to steal data from another website including passwords and cookies.
When Was Android Browser Security Bug spotted?
The Android Security Bug has been reported on the first day of September. Later it was found that it has grave implications for the Android users. The WebKit-based Android Browser was part of the Android Open Source Platform. This browser now has a flaw that enables different malicious sites to inject JavaScript into other sites. These malicious sites can then read passwords and cookies, grab keyboard input and submit forms.
How Does Zemot Enter the User’s Computer?
The browsers are designed to prevent the script from one site to be accessed from another site. This is done through the Same Origin Policy (SOP). This means that the scripts can only read or modify resources which come from the same origin as the script, in case the origin is determined by the combination of scheme, domain, and port number. The purpose of Same Origin Policy is to prevent a malicious script from being loaded. The bug, however breaks the handling of the SOP by the browser.
The security expert who spotted the bug found out that JavaScript was constructed in such a manner as to ignore the SOP and to have access to the content of other sites with no restriction. In other words, any site visited in the affected browser can steal important and sensitive data. That is why this bug needs to be removed immediately.
Android vs. Chrome
Google attempts to get more control over Android and has thus discontinued the AOSP browser. The Android Browser was the default browser on Google until things changed with Android 4.2, when Google decided to use Chrome as its browser. For some time, the main parts of the Android browser were used in order to power the embedded web view used in the applications. Things truly changed in Android 4.4 when Google started using a browser engine based on Chrome.
Android Browser Usage
Even after Google discontinued its open source browser application, the flawed Android Browser is still in use. This browser can be embedded in third party products and can be installed on the phones using the new Android 4.4.
According to data by Google itself, only ¼ of all Android users are actually using the new 4.4 version. The rest of the users are with Android versions of 4.1 and older. In other words, 75 % of the users are not using versions with Chrome as a default browser.
Fixing the Privacy Disaster
The experts refer to the Android Browser Security Bug as a ‘privacy disaster’ and they are trying to fix it. This will not be easy to do since Chrome is updated through the Play Store while the AOSP browser is updated only through updates in the operating system.
The verdict
The users are not in the position to uninstall the Android Browser as it is part of the operating system they use. However, in case they tap on All apps and then Browser, they will see ‘Disable’ button and ‘Uninstall’ button. The danger will then be disarmed, and the user will be prevented from using this risky browser again. The user should check another browser in its place.
The best thing that the Android 4.0 users can do at the moment is to avoid exposure to the Android Security Bug by switching to Firefox, Chrome, Dolphin or Opera, which are not affected by the broken code.