Test if your Android device is affected by recent SOP vulnerability

Companies like Google or Microsoft have a hard time getting users to upgrade to the latest version of their operating systems. On Android for instance, a quarter is using Android version 4.4, the most recent version of the system.

It is not necessarily the fault of users that their systems are not upgraded as manufacturers may not provide updates to devices which leaves users standing in the rain and without official options to update their devices.

A security flaw recently discovered in Android Browser highlights why this is a problem. Android Browser has been the default web browser on Android devices. This changed in Android 4.2 when Chrome took over and while browsers were switched, Android Browser was still used for some functionality in the browser.

Google switched to Chromium in Android 4.4 which means that any Android user not on 4.4 may be exposed to the bug.

Here is what it does

When you visit a web page, you expect it to provide contents for the domain it is running on. A script running on the website should for instance not be able to modify contents on another site, but that is apparently what the flaw found in Android Browser does.

Same Origin Policy (SOP) is a security mechanism that has been designed to prevent JavaScript executed from one origin to access properties from another origin. JavaScript executed on badsite should not be able to retrieve data from goodsite.

What this means is that any site that you visit using Android Browser directly or when Android Browser is used by apps could potentially steal sensitive data. Properties such as cookies can be stolen by exploits

Test your device

To test if your device is vulnerable visit the following web page and click on the test button on it to find out if that is the case.

If you get a popup message, your browser is vulnerable. If you don't, it is not.

The Problem

While Google is working on a patch to fix the issue, delivering the patch to users is complicated. The main reason for that is that this type of update falls into the responsibility of the manufacturer of the device.

Considering that support ends usually after two years, it is unlikely that all devices out there that are vulnerable will be patched.

To make matters worse, switching to another browser like Firefox or Chrome on affected devices resolves only part of the problem. While that browser should be safe to use then, apps running on the device may still use the affected browser to render web contents which in turn means that the issue can still be exploited.

It is still recommended to switch browsers immediately to limit exposure to the issue on affected devices.