Android Browser Exploit Identified (2/21/2014)
An exploit has been circulating that takes advantage of vulnerabilities in the default Android browser on Android 4.1 and older. Though there have been no reported exploits of the vulnerability in the wild, an exploit has been demonstrated by the Rapid7 security group. Google has fixed the bug in new Android releases beginning with Android 4.2, released on November 13, 2012, but Android 4.2 and above is only available on a small subset of Android devices and is available only when allowed by the device manufacturers. Further, Google has no mechanism for deploying in-situ security patches to Android devices running older versions for the Android browser at this time.
To mitigate the vulnerability, users of Android 4.1 and previous are encouraged to do three things:
1. Download and use an alternative web browser from the Google Play Store, such as Chrome or Firefox. Browsers on the Play Store receive regular updates not in sync with the Android update cycle.
2. Review the data stored on the device and, if planning to continue to use the default Android browser, remove any sensitive or confidential University data from the device (including email, Box account, etc).
3. (Optional) Disable the built-in browser completely by navigating to Settings – Apps – All Apps – Browser, and selecting ‘Disable’. This will hide the browser from the device app list.
Further, all users of mobile devices should carefully consider future mobile purchases in light of this exploit. While Google’s decision to allow Android to be an “open” platform has given device manufacturers unprecedented freedom in the look and feel of their device UIs, it has also created a situation in which security updates for native applications are impeded from being rolled out effectively. This is far less of a problem with Google Experience devices, including the Nexus line, which receive the latest updates far more quickly than other Android devices, and is not a problem with iOS or Windows Phone devices.
The Android version can be found under Settings – About Phone. Any version of Android numbered 4.1.x and lower is vulnerable; devices running Android 4.2 and higher are not vulnerable.