Best daily deals

Links on Android Authority may earn us a commission. Learn more.

Android Browser security flaw could affect 40% of Android users

A Same Origin Policy vulnerability has been found in the stock Android Browser, allowing malicious scripts to track your data and read your emails.
September 17, 2014
Android Browser

A vulnerability has been spotted in the open-source WebKit-based Android Browser, which opens up the app to a number of JavaScript exploits – from reading cookies and passwords, to sending emails on your behalf.

The issue was reported as bug on September 1st, but appears to have much larger implications for a number of Android users. Rafay Baloch, a researcher who uncovered the issue, found that Javascript constructed in a particular way could bypass the browser’s Same Origin Policy (SOP), allowing him to alter and exploit the content on a websites loaded in another tab.

SOP is designed to prevent scripts on one site from affecting the content of another page. In other words, scripts can only modify resources coming from the same site domain and/or port number. This prevents malicious websites and scripts from infecting honourable pages. Without this protection, rouge scripts can alter the content of other sites and proceed to upload malevolent scripts, trick users into downloading malware, or track their data.

Who is at risk?

Whilst the odds of running into such an exploit are probably quite small, after all this trick doesn’t usually work, a good number of Android users are still running the exploitable Android Browser.

Pre-Android 4.2, the Android Browser was included as the default browser option, before Google switched the stock option to Chrome and dropped support for the old browser. Even so, Google only moved the default browser over to the full Chromium engine as recently as Android 4.4, as some parts of the browser still used some of the old software’s features.

Whilst you are unlikely to find the default browser referred to as the Android Browser on anything but devices running older stock versions of Android, many third party and OEM browsers have been built upon the open-source browser, and it is unclear how many of these are affected by the bug.

os browser by share

In terms of numbers, Google’s own figures suggest that 24.5 percent of devices are running Android 4.4 KitKat, which is exploit free unless you have installed the open-source browser yourself. The Android Browser accounts for around 21 percent of global mobile browser usage. Given that Android accounts for around 45 percent of all devices, and we can probably attribute the vast majority of the Safari usage to iOS, we come to a rough estimate that around 40 percent of all Android devices are using a form of the vulnerable browser.

The easiest way to protect yourself again the security flaw is to simply install a different browser that isn’t based on the old Android code. Chrome, Firefox, and Opera are based on different engines, but other browsers may implement some of the vulnerable code. Google has said that it can reproduce the problem, and that the company is working on a fix.