Android Security Flickr Reuse

While we have been reporting about various Windows exploits in recent months, other platforms have their share of problems. Android is notable for its lack of security, especially when the OS is not Google stock. For example, this week Google has sent out a partial fix for a problem that is nearly four years old.

The issue in question is an interesting one. Firstly, Google had previously rejected the bug report claiming Android was “working as intended”. Even now, the problem stemming from 2015 has only been fixed partially.

In terms of what problems were exposed, researchers reported an issue with Google Chrome. As the default browser on Android, Chrome uses WebView and Custom Tabs APIs. Nightwatch Cybersecurity reports Chrome and Android apps that use these APIs can leak information about hardware and firmware version.

Advertisement

“This information can be used for track users and fingerprint devices,” said Nightwatch researcher Yakov Shafranovich, in a post last week. “It can also be used to determine which vulnerabilities a particular device is vulnerable to in order to target exploits.”

The flaw has been present in Android for three years. APIs have been sending out device information from affected APIs since. Nightwatch points out the User-Agent header on website content is the most worrying as it includes the Android version running on the device, the name, and firmware build.

“For many devices, this can be used to identify not only the device itself, but also the carrier on which it is running and from that the country,” added Shafranovich. “It can also be used to determine which security patch level is on the device and which vulnerabilities the device is vulnerable to.”

Fix

Attackers could exploit this flaw by creating a malicious websit. Information could target users by creating false problems for their device. Google is not exactly acting quickly to patch the issue and has issued a partial fix in Chrome 70.

“The fix hides the firmware information while retaining the hardware model identifier … The device model number remains,” said Shafranovich. “The fix only applies to the Chrome application itself, and not to the WebView implementation used by application developers as per the following explanation [from Google]: ‘Does not apply the change to Android Web View as mandated by the Android Compatibility Definition Document.’”

Advertisement