Android Browser flaw a “privacy disaster” for half of Android users | Ars Technica

Posted from WordPress for Android

1 Comment

  1. Tomi Engdahl says:

    “Shocking” Android browser bug could be a “privacy disaster”: here’s how to fix it

    Independent security researcher Rafay Baloch has written about a security bug in the Android Browser app that allows one website to steal data from another.

    The guys over at Metasploit are calling it a “Privacy Disaster,”

    Web security depends very heavily on a principle known as the Same Origin Policy.

    Anyway, Rafay Baloch found a way of sucking in content from another site into an IFRAME, and then reading Document Object Model (DOM) data from that IFRAME using some JavaScript trickery outside the IFRAME.

    The good news is that the Android Browser app, known simply as Browser, has been discontinued by Google.

    You can still get hold of it and install it if you want, but Android 4.4 (KitKat) doesn’t have it by default.

    The bad news is that older versions of Android (apparently, anything before 4.4) do come with Browser.

    And, because Browser it isn’t being developed any more, this bug might well be there to stay, unless your phone vendor decides to offer a firmware update to replace it.

    What to do?

    Stop using Browser if you have it installed.

    You almost certainly can’t uninstall it, because it’s usually part of the operating system build itself, meaning it doesn’t show up under Settings | Apps | Downloaded.

    But if you tap on Browser from the All apps page, you should see a [Disable] button

    This will let you disarm the danger by preventing you from using the risky Browser app again.

    a decent Mobile Device Management (MDM) product should help to defuse the risk by inhibiting the Browser app remotely

    You’ll need to provide your users with another browser in its place, of course, but your MDM software should make that pretty easy, too.

    Well-known replacement browsers include Firefox, Chrome and Dolphin.


Leave a Comment

Your email address will not be published. Required fields are marked *