Test if your Android device is affected by recent SOP vulnerability
Companies like Google or Microsoft have a hard time getting users to upgrade to the latest version of their operating systems. On Android for instance, a quarter is using Android version 4.4, the most recent version of the system.
It is not necessarily the fault of users that their systems are not upgraded as manufacturers may not provide updates to devices which leaves users standing in the rain and without official options to update their devices.
A security flaw recently discovered in Android Browser highlights why this is a problem. Android Browser has been the default web browser on Android devices. This changed in Android 4.2 when Chrome took over and while browsers were switched, Android Browser was still used for some functionality in the browser.
Google switched to Chromium in Android 4.4 which means that any Android user not on 4.4 may be exposed to the bug.
Here is what it does
When you visit a web page, you expect it to provide contents for the domain it is running on. A script running on the website should for instance not be able to modify contents on another site, but that is apparently what the flaw found in Android Browser does.
Same Origin Policy (SOP) is a security mechanism that has been designed to prevent JavaScript executed from one origin to access properties from another origin. JavaScript executed on badsite should not be able to retrieve data from goodsite.
What this means is that any site that you visit using Android Browser directly or when Android Browser is used by apps could potentially steal sensitive data. Properties such as cookies can be stolen by exploits
Test your device
To test if your device is vulnerable visit the following web page and click on the test button on it to find out if that is the case.
If you get a popup message, your browser is vulnerable. If you don't, it is not.
The Problem
While Google is working on a patch to fix the issue, delivering the patch to users is complicated. The main reason for that is that this type of update falls into the responsibility of the manufacturer of the device.
Considering that support ends usually after two years, it is unlikely that all devices out there that are vulnerable will be patched.
To make matters worse, switching to another browser like Firefox or Chrome on affected devices resolves only part of the problem. While that browser should be safe to use then, apps running on the device may still use the affected browser to render web contents which in turn means that the issue can still be exploited.
It is still recommended to switch browsers immediately to limit exposure to the issue on affected devices.
Chromium 37 on kikat 4.4.4 is also affected
Luckily, I pass the test. I had a long KitKat update about 16 hours ago. I’m on 4.4.2. Guess that was largely the reason. Thanks for the heads-up, Martin.
^_^ mine passed too ^_^ and i still have 4.2.2 ^_^
cheers!
[quote]On Android for instance, a quarter is using Android version 4.4, the most recent version of the system.[/quote]
yes Google may have a hard time having user upgrading but I blame Google own Android policies for that.
the have the requirement to only (and i stress only ) a mere 18 months AFTER production, meaning if you’re Lucky you’ll have one year updates.
While I’m a person who thinks that you buy a product with the software that is included and you have no real right on every update, All security and bugs should get fixed even after lets say 3 years for a smartphone. This does not imply a new android version however. But let’s face the fact new android version is prob quicker then bug fixes.
But if Google/Android policy would be 2 years after last production/official sell date, much more devices would be get an updated.
18 month support for Android is an illusion.
Sony just announced that 4 one year old devices will stay at 4.1/4.2 versions
http://www.androidpolice.com/2014/09/10/sony-pulls-the-plug-on-future-updates-for-the-xperia-l-m-c-and-sp
If your phone is not one of the flagship models that are actually supported by their manufacturer in the sense that they receive more than one update after release, then it’s pretty much a waste of time even checking as it is going to be vulnerable. The problem is, the browser is a part of the firmware for some odd reason and is not upgradeable by itself. Yes you need a) your manufacturer to release a firmware update, but you then also need b) your provider to make it available to its customers which sometimes takes months. The way such things are handled with Android is ridiculous.
I own an Alcatel phone released one year ago, the system has only been updated once (it was a security update, I guess) and it’s Android 4.2. If I like the phone and want to keep it up-to-date/secure, I need to go out and buy its second iteration with Android 4.3 preinstalled that is upgradeable to Android 4.4 (supposedly, not sure how my operator handled that…)
Some people will say I should’ve picked a better known company if I wanted updates and support. Well, not so much. When choosing a phone (largely based on design, specs) I also considered an HTC phone released back in spring of 2012. It released with 4.0 preinstalled and is only upgradeable to 4.1.1, despite what HTC had said previously (it was supposed to receive more updates), which is pretty laughable. Luckily for its users, there’s CyanogenMod available for it.
So, Firefox would be the only “most” secure browser for Android 4.4?
How do you reset to 4.2?
BTW, was looking for forum here but i guess it was an abandoned idea.
No one said that.
No one said that we can’t reset to 4.2 or the forum idea was abandoned?
Even with Adblock Plus disabled, i can’t find forum menu link.
If you are using 4.4 you should be safe, no need to downgrade.
Yes, the forum is gone.
The only browser that does anything is Firefox. When I click test Firefox shows the “sharkmarks” within the window itself (like a window in a window), but no pop up. Chrome, Atlas, UC Browser, and the default browser for the Note 3 don’t do anything. What kind of pop up should we see if we are affected?
As long as you don’t get a popup alert, everything is fine.
I must be thick but I find some of the posts a bit ambiguous so can I ask if a popup appears saying only sharkmarks does this mean the phone is NOT vulnerable, thanks weg43
So seeing the message: “404 – Not Found
Your kind isn’t welcome ’round these parts. Probably best you leave the way you came in. In reality, you’ve attempted to access a page that does not exist.”… is what we get if we are vulnerable… hmm good to know….
I hope they fix this vulnerability on the New Android One Phones.
4.4.x is not affected, nor is more recent versions of Chrome.
So seeing the message: “404 – Not Found
Your kind isn’t welcome ’round these parts. Probably best you leave the way you came in. In reality, you’ve attempted to access a page that does not exist.”… is what we get if we are vulnerable… hmm good to know….
The page should display in both cases. Check the URL – caps do matter.
I’ve had a Tesco Hudl for a year. Android support seems to have vanished a few weeks after it was sold. This seems such a common experience, I’m not sure I ever want another Android device.
An update.
Just to isolate the issue. I tried installing different browser on my nexus 7 2012 device with kitkat 4.4.4.
This time mozilla displayed the popup as mentioned. So it can be concluded that it is issue with OS and javascript .Google needs to fix this..
Carriers and handset makers decide if you get latest upgrades to android in US instead of you deciding. That is a REALLY good reason to get an iPhone, IMHO, where over 80% are up to IOS7.
http://arstechnica.com/apple/2014/01/apple-80-percent-of-active-users-are-now-running-ios-7/
What Google should do is allow signed patches from Google to “patch” the non-vendor specific portions of the ROM. This would, for example, allowed a simple way of patching the OpenSSL HeartBleed vulnerability simply by turning off the HeartBeat feature, or updating OpenSSL.
The only portions of the ROM that should be vendor-specific are device drivers, such as for the GPU, cell modem, camera, etc.
How come my chrome 4.2 browser is still vulnerable in 2016 haven’t they already issue the patch ?? same goes for my browser on Windows 10 ? Only Internet Explorer 10 passed the test