AOSP Browser flaw could be “Privacy disaster” for half of Android users


Privacy disaster

In an age where privacy seems to be getting treated with contempt more and more, this latest bug probably comes as little concern for most people, but this vulnerability which surfaced on September 1st to little commotion could be a privacy nightmare for those affected. The bug can inject Javascript into websites meaning that these malicious Javascripts could potentially read passwords, view cookies, see keyboard input and a whole host of other scary stuff.

This particular Android bug prohibits the browser’s ability to stop scripts being able to access content once a user has left a website. Rafay Baloch is the man responsible for finding the data leaking bug, suggested that the bug could interfere with different site’s content without restriction, these means potentially any site you visit could potentially be stealing your personal data.

The browser responsible is the old AOSP broswer, which used to be the default for Android users until Android 4.2 when in an attempt to assert more control over Android, Google implemented the Chrome browser as Android’s default browser.

But, as well know one of Android’s major pitfalls is its fragmentation, only a measly 24.5% of users are currently running Android 4.4 according to Google’s own statistics, a huge swathe of these users are using the affected browser, with a large percentage of users currently on Android 4.1 and below.

Mr Baloch reported his findings to Google themselves, but they reportedly suggested there was little that could be done and closed the case, since posting the bug evidence on his blog various developers have branded the findings a “privacy disaster”  especially with the infrequent updates of Android that occur.

Luckily you can avoid the infection by switching to either Chrome or Firefox, if you’re on an older version of Android. but how many people have already been affected remains unknown.

Google is trying to fight fragmentation through a new project launched earlier this year at Google I/o 2014, a program that Google calls it Android One. Android One intends to deliver smartphones at cheap with the latest Android OS version as well as updates straight through Google’s own servers to emerging markets.

Update: Google has already responded to this problem and came with the solution too, check below.

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (12) to AOSP.