Test if your Android device is affected by recent SOP vulnerability

Martin Brinkmann
Sep 17, 2014
Google Android
|
23

Companies like Google or Microsoft have a hard time getting users to upgrade to the latest version of their operating systems. On Android for instance, a quarter is using Android version 4.4, the most recent version of the system.

It is not necessarily the fault of users that their systems are not upgraded as manufacturers may not provide updates to devices which leaves users standing in the rain and without official options to update their devices.

A security flaw recently discovered in Android Browser highlights why this is a problem. Android Browser has been the default web browser on Android devices. This changed in Android 4.2 when Chrome took over and while browsers were switched, Android Browser was still used for some functionality in the browser.

Google switched to Chromium in Android 4.4 which means that any Android user not on 4.4 may be exposed to the bug.

Here is what it does

When you visit a web page, you expect it to provide contents for the domain it is running on. A script running on the website should for instance not be able to modify contents on another site, but that is apparently what the flaw found in Android Browser does.

Same Origin Policy (SOP) is a security mechanism that has been designed to prevent JavaScript executed from one origin to access properties from another origin. JavaScript executed on badsite should not be able to retrieve data from goodsite.

What this means is that any site that you visit using Android Browser directly or when Android Browser is used by apps could potentially steal sensitive data. Properties such as cookies can be stolen by exploits

Test your device

android sop flaw

To test if your device is vulnerable visit the following web page and click on the test button on it to find out if that is the case.

If you get a popup message, your browser is vulnerable. If you don't, it is not.

The Problem

While Google is working on a patch to fix the issue, delivering the patch to users is complicated. The main reason for that is that this type of update falls into the responsibility of the manufacturer of the device.

Considering that support ends usually after two years, it is unlikely that all devices out there that are vulnerable will be patched.

To make matters worse, switching to another browser like Firefox or Chrome on affected devices resolves only part of the problem. While that browser should be safe to use then, apps running on the device may still use the affected browser to render web contents which in turn means that the issue can still be exploited.

It is still recommended to switch browsers immediately to limit exposure to the issue on affected devices.

Summary
Test if your Android device is affected by recent SOP vulnerability
Article Name
Test if your Android device is affected by recent SOP vulnerability
Description
A bug discovered recently in Android's Stock Browser allows websites to retrieve cookies and other information from other origins. Test your device to find out if it is vulnerable.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Kashif said on July 24, 2016 at 9:34 pm
    Reply

    How come my chrome 4.2 browser is still vulnerable in 2016 haven’t they already issue the patch ?? same goes for my browser on Windows 10 ? Only Internet Explorer 10 passed the test

  2. Doc said on September 18, 2014 at 7:58 pm
    Reply

    What Google should do is allow signed patches from Google to “patch” the non-vendor specific portions of the ROM. This would, for example, allowed a simple way of patching the OpenSSL HeartBleed vulnerability simply by turning off the HeartBeat feature, or updating OpenSSL.
    The only portions of the ROM that should be vendor-specific are device drivers, such as for the GPU, cell modem, camera, etc.

  3. Joe said on September 18, 2014 at 5:13 pm
    Reply

    Carriers and handset makers decide if you get latest upgrades to android in US instead of you deciding. That is a REALLY good reason to get an iPhone, IMHO, where over 80% are up to IOS7.

    http://arstechnica.com/apple/2014/01/apple-80-percent-of-active-users-are-now-running-ios-7/

  4. Bhisham said on September 18, 2014 at 1:55 pm
    Reply

    An update.

    Just to isolate the issue. I tried installing different browser on my nexus 7 2012 device with kitkat 4.4.4.

    This time mozilla displayed the popup as mentioned. So it can be concluded that it is issue with OS and javascript .Google needs to fix this..

  5. wayfarer said on September 18, 2014 at 5:39 am
    Reply

    I’ve had a Tesco Hudl for a year. Android support seems to have vanished a few weeks after it was sold. This seems such a common experience, I’m not sure I ever want another Android device.

  6. Blue said on September 17, 2014 at 5:32 pm
    Reply

    So seeing the message: “404 – Not Found
    Your kind isn’t welcome ’round these parts. Probably best you leave the way you came in. In reality, you’ve attempted to access a page that does not exist.”… is what we get if we are vulnerable… hmm good to know….

    1. ACow said on September 17, 2014 at 5:56 pm
      Reply

      The page should display in both cases. Check the URL – caps do matter.

  7. Karan Labra said on September 17, 2014 at 5:32 pm
    Reply

    I hope they fix this vulnerability on the New Android One Phones.

    1. Doc said on September 18, 2014 at 7:55 pm
      Reply

      4.4.x is not affected, nor is more recent versions of Chrome.

  8. Anonymous said on September 17, 2014 at 5:32 pm
    Reply

    So seeing the message: “404 – Not Found
    Your kind isn’t welcome ’round these parts. Probably best you leave the way you came in. In reality, you’ve attempted to access a page that does not exist.”… is what we get if we are vulnerable… hmm good to know….

  9. Bobby Phoenix said on September 17, 2014 at 4:26 pm
    Reply

    The only browser that does anything is Firefox. When I click test Firefox shows the “sharkmarks” within the window itself (like a window in a window), but no pop up. Chrome, Atlas, UC Browser, and the default browser for the Note 3 don’t do anything. What kind of pop up should we see if we are affected?

    1. Martin Brinkmann said on September 17, 2014 at 5:43 pm
      Reply

      As long as you don’t get a popup alert, everything is fine.

      1. weg43 said on September 18, 2014 at 3:27 pm
        Reply

        I must be thick but I find some of the posts a bit ambiguous so can I ask if a popup appears saying only sharkmarks does this mean the phone is NOT vulnerable, thanks weg43

  10. Daniel said on September 17, 2014 at 2:38 pm
    Reply

    So, Firefox would be the only “most” secure browser for Android 4.4?

    How do you reset to 4.2?

    BTW, was looking for forum here but i guess it was an abandoned idea.

    1. Martin Brinkmann said on September 17, 2014 at 2:47 pm
      Reply

      No one said that.

      1. Daniel said on September 17, 2014 at 3:08 pm
        Reply

        No one said that we can’t reset to 4.2 or the forum idea was abandoned?
        Even with Adblock Plus disabled, i can’t find forum menu link.

      2. Martin Brinkmann said on September 17, 2014 at 5:40 pm
        Reply

        If you are using 4.4 you should be safe, no need to downgrade.

        Yes, the forum is gone.

  11. ACow said on September 17, 2014 at 12:58 pm
    Reply

    If your phone is not one of the flagship models that are actually supported by their manufacturer in the sense that they receive more than one update after release, then it’s pretty much a waste of time even checking as it is going to be vulnerable. The problem is, the browser is a part of the firmware for some odd reason and is not upgradeable by itself. Yes you need a) your manufacturer to release a firmware update, but you then also need b) your provider to make it available to its customers which sometimes takes months. The way such things are handled with Android is ridiculous.

    I own an Alcatel phone released one year ago, the system has only been updated once (it was a security update, I guess) and it’s Android 4.2. If I like the phone and want to keep it up-to-date/secure, I need to go out and buy its second iteration with Android 4.3 preinstalled that is upgradeable to Android 4.4 (supposedly, not sure how my operator handled that…)

    Some people will say I should’ve picked a better known company if I wanted updates and support. Well, not so much. When choosing a phone (largely based on design, specs) I also considered an HTC phone released back in spring of 2012. It released with 4.0 preinstalled and is only upgradeable to 4.1.1, despite what HTC had said previously (it was supposed to receive more updates), which is pretty laughable. Luckily for its users, there’s CyanogenMod available for it.

  12. BBB said on September 17, 2014 at 11:32 am
    Reply

    [quote]On Android for instance, a quarter is using Android version 4.4, the most recent version of the system.[/quote]
    yes Google may have a hard time having user upgrading but I blame Google own Android policies for that.
    the have the requirement to only (and i stress only ) a mere 18 months AFTER production, meaning if you’re Lucky you’ll have one year updates.
    While I’m a person who thinks that you buy a product with the software that is included and you have no real right on every update, All security and bugs should get fixed even after lets say 3 years for a smartphone. This does not imply a new android version however. But let’s face the fact new android version is prob quicker then bug fixes.

    But if Google/Android policy would be 2 years after last production/official sell date, much more devices would be get an updated.

    1. ilev said on September 17, 2014 at 11:45 am
      Reply

      18 month support for Android is an illusion.
      Sony just announced that 4 one year old devices will stay at 4.1/4.2 versions
      http://www.androidpolice.com/2014/09/10/sony-pulls-the-plug-on-future-updates-for-the-xperia-l-m-c-and-sp

  13. Karl Gephart said on September 17, 2014 at 9:21 am
    Reply

    Luckily, I pass the test. I had a long KitKat update about 16 hours ago. I’m on 4.4.2. Guess that was largely the reason. Thanks for the heads-up, Martin.

    1. zentaurus21 said on September 18, 2014 at 7:00 am
      Reply

      ^_^ mine passed too ^_^ and i still have 4.2.2 ^_^

      cheers!

  14. bhisham said on September 17, 2014 at 8:57 am
    Reply

    Chromium 37 on kikat 4.4.4 is also affected

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.