A
new security bug in the Android Browser could have massive implications
on Android users. Though the bug was reported last month by researcher
Rafay Baloch, it has come to the fore only now.
In
a blogpost, Security Street Rapid7 calls the bug a ‘privacy disaster.’
It is capable of allowing a hacker to “load” javascript into any
arbitrary frame or window. The blog explains, “What this means is, any
arbitrary website (say, one controlled by a spammer or a spy) can peek
into the contents of any other web page. Imagine you went to an
attackers site while you had your webmail open in another window — the
attacker could scrape your e-mail data and see what your browser sees.
Worse, he could snag a copy of your session cookie and hijack your
session completely, and read and write webmail on your behalf.”
With
a large number of users relying on the browser, the widespread is quite
likely. It must be noted that the attack is possible only on the stock
AOSP browser which is the legacy browser used by many OEMs, despite
Chrome being available. All new Google devices such as the Nexus series,
Android One range and even some Motorola phones use Chrome as the only
browser out of the box. A report by ArsTechnica points out,”As our
monthly look at Web browser usage shows, Android Browser has a little
more real-world usage than Chrome for Android, with something like 40-50
percent of Android users using the flawed browser. The Android Browser
is likely to be embedded in third-party products, too, and some Android
users have even installed it on their Android 4.4 phones because for one
reason or another they prefer it to Chrome.”
Since
it is a stock Android app, one cannot really uninstall it, unless you
have sideloaded it like Ars Technica says above. However, Sophos
Security points out that one can choose check the disable option. In its
blogpost, the security firm states, “Stop using Browser if you have it
installed. You’ll know you have it by going to Settings/Apps/All and
looking for its tell-tale icon. You almost certainly can’t uninstall it,
because it’s usually part of the operating system build itself, meaning
it doesn’t show up under Settings/Apps/Downloaded. But if you tap on
the Browser option from the All apps page, you should see a Disable
button instead of Uninstall.”
If
you have a rooted device, uninstalling the Browser is possible, and is
highly recommended. For now, if you cannot root your phone, it’s best to
not use the browser at all, and go with a third-party alternative.
Wondering which one to pick? Why not have a look at our extensive
comparison of the major Android browsers.
Posted by : Gizmeon
No comments:
Post a Comment