Another day, another reminder that Android is an OS which needs a lot more vigilance when it comes to security. Yet another security study revealed that Android has issues and this time it's with the browser. Security company Lookout provided data that revealed a vulnerability that exists in smartphones using the older Android browser.
What happens is that attackers could bypass what is called the same-origin policy (SOP), something that exists in all browsers. It is a protective measure that will prevent scripts from one domain interacting with data from another domain. Without it, attackers could create pages from other websites within an invisible frame thus allowing attackers to hijack those websites from the frame. For instance, an attacker could load your banking website in an invisible frame and hijack the data you put into the website as while it does not control the website, it does have the ability to capture data you input via the frame.
Android, oh Android
This SOP bypass weakness specifically affects Android versions older than 4.4. This is because those versions use the Android Open Source Project (AOSP) browser while Android 4.4 onwards uses Google Chrome.
While Google has released patches for the vulnerabilities, device vendors would have to import and tweak those patches, adding them to firmware upgrades. This means older phones that have reached end-of-life or end-of-support cycles are left hanging.
Just because users are stuck with older phones or phones that are subject to carrier software customisation, it really shouldn't leave them open to attacks and not have recourse to security besides having to buy a new phone.
Apparently 81 per cent of Lookout users in Japan have an insecure version of the AOSP browser, with 73 per cent in Spain, 51 per cent in the UK and only 34 per cent in the US.
A quick, cheap fix is merely eschewing using the stock Android browser and instead installing Chrome, Firefox and other third-party browsers that can be updated without needing a firmware update.