
Major Android Bug Is a Privacy Disaster (CVE-2014-6041) - mike-cardwell
https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041
======
ck2
If you haven't tried Firefox Fennec (android mobile) it is actually pretty
good now.

[https://play.google.com/store/apps/details?id=org.mozilla.fi...](https://play.google.com/store/apps/details?id=org.mozilla.firefox)

[https://www.mozilla.org/en-
US/firefox/partners/#android](https://www.mozilla.org/en-
US/firefox/partners/#android)

They make it for arm and x86 android.

They used to make a windows version but sadly stopped that build.

~~~
anonbanker
Been using Firefox mobile for four months now, and forcefully removed both
chrome and the vulnerable browser from my device about one month in. Slight
battery drain issues, but those are almost all solved in recent releases.
Definitely give it a try.

------
allegory
It's this sort of thing that puts me off Android as a platform. Even my mother
got sold a 2.2 handset recently (Samsung Galaxy Ace) that hasn't been patched
for the best part of 3 years. You never know when you're going to end up with
a lemon on your hands.

Big jump to this conclusion but I'm more inclined to trust Microsoft at the
moment as they have a better reputation for lifetime (unlike Android), have a
very public security process and good industry comms and the devices are
proven usable if not faster after recent updates (unlike iOS which starts to
be terribly limiting performance-wise). Plus they're dirt cheap.

~~~
legohead
Yes, this continues to be a problem that I hope Google addresses somehow. I
got the Samsung Galaxy _Nexus_ because I assumed it would be kept up to date
with the latest Android version, since it's using the Google brand 'Nexus'
name.

I even asked the sales representative if it would be kept up to date (knowing
I couldn't trust them, but was looking for any extra assurance), and they said
yes.

Right now it's at 4.3 and wont upgrade...

~~~
mbq
Just switch to CyanogenMod or other custom compilation; there is a gain from
Nexus brand in the ease of unlocking bootloader (;

~~~
gsnedders
I'm not convinced CyanogenMod (or any other variant) is actually that great; I
have a Samsung Galaxy S2 (i9100 model), the last non-nightly CyanogenMod
update was over a year ago now. There have been a number of CVEs issued for
Android (and likely numerous others cover Android as a platform, covering
OpenSSL for example) over that time period, so there's no way the phone is
anywhere near up-to-date with security fixes.

CyanogenMod doesn't have any way to distinguish which phones are currently
receiving security fixes in a timely manner and which are not; nor do they
have any list of security advisories covering packages they distribute (go
look at any notable desktop/server Linux distro — they _all_ have public lists
of security advisories and documentation of what release fixes them).

To my knowledge there is no Android distribution that has anywhere near the
cohesive security story — and they're all miles behind any desktop OS.

~~~
xorcist
CyanogenMod changed their release versioning. There are no more "stable"
builds anymore, at all. You're supposed to run "monthly" or "milestone" or
whatever they are called. Yes, I think they could have communicated this much
better.

~~~
gsnedders
And anyone running the stable builds have therefore never been updated to an
at all recent build… _sighs_

And looking at my phone, I have no idea how I'm meant to update to the
milestone builds. The updater lets me select "stable" or "all (inc. nightly)",
and nowhere do the milestone builds appear…

None of this is helping me believe there's really any decent security story.
Abandon all users who don't check the website (or whatever) to find out about
releases, trusting the built-in updater to provide updates. Never publish any
security advisories that cover your distribution…

------
steakejjs
If you aren't familiar with SOP, this is about the worst "stupid web vuln"
that can happen. SOP is the glue that kind of almost makes the web secure. The
attack DOES work if X-Frame-Options is enabled (thanks joev. The msfmodule
says so clearly). ALL sites with or without XFrameOptions can be loaded in an
iframe, and sent to a bad guy.

If you would like to test on your device/browser, you can on ejj.io/SOP.php .
If you click on the button and you see an alert box, you're vulnerable (I
doubt many on HN will....)

Many other browser's also seem to be vulnerable. So if you use something else
best be safe and check yourself

~~~
geographomics
The alert did not appear on an Android 2.3 device (HTC Desire), or a 2.2
emulator (via BrowserStack.com) - not vulnerable, or not compatible with the
exploit test?

~~~
joev_
I didn't test back this far; I should have, it's about 10% of android users. I
tested back to 4.0 (not that 4.0-4.1.2 being vulnerable matters much, since
you can get remote code execution easily through the addJavascriptInterface
vulnerability). I tried out 2.1 in the emulator just now and got the same
results as you, so it looks like 2.x is not affected by this.

------
fencepost
Replaced by Chrome ("that giant hog").

I'm on a slightly older phone, but I actually removed Chrome from it not long
ago. I started having problems with updating apps due to insufficient space,
and while I have a fair amount of crap installed, I also have ~2.5GB of
"Phone" storage for apps so I started investigating (this is separate from
"sdcard" data storage which is ~8GB). Turns out Chrome, at least on the HTC
Amaze 4G with 4.0.3, takes up about 250MB - my largest installed app by about
a factor of 4 (next largest was ~80MB). This was not cache or data, this was
the app itself.

I don't know what all they've moved into there as part of their push to
cripple Android except as a host for the "Google Play Ecosystem," but crap
like this is not endearing.

~~~
hnha
I am running out of space because Play Store and Google Framework get bigger
and bigger. It fills me with rage how Google actively makes my old phone less
capable over time for no benefit to me.

~~~
AjithAntony
Yeah. I was using a Nexus One for a long time until I had to prune so many
apps due to space that it wasn't worth using. I got a new phone, HTC One S (I
needed a t-mobile branded phone for wifi calling) with several gigs of system
partition space, and now I have to play that game again.

I recognize that there are a bunch of features now that I get to enjoy, but
now I have to choose which ones I want to keep.

When I switched, 20MB was a big app. Now I have at least 30 apps that are
bigger. Chrome in particular seems bogus. The desktop version isn't even this
big.

    
    
       Chrome : 211MB
       Facebook: 116MB
       Google search: 70MB
       Google+: 65MB
       Amazon: 60MB
       Mantano Reader: 54MB
       Dropbox: 50MB
       Google Play services: 50MB
       Google Text-to-speach engine: 45MB
       Hangouts: 35MB
       t-mobile my account: 33MB
       SwitftKey: 33MB
       Kindle: 30MB
       Evernote: 30MB
       BaconReader: 28MB
       twitter: 25MB
       Hulu: 25MB
       Google Maps: 24MB
       Google Drive: 24MB
        <...>
    
    

I do recognize that these apps balance the data differently. Chrome is 189MB
app, and facebook is 80MB data.

~~~
nkozyra
I have the latest Chrome for Android and it's 65MB for the app. Still large,
but nowhere near 190MB.

~~~
gcb0
did you disable cache somehow?

open a bunch of ssl pages and see app data space explode. same happens with
firefox

~~~
AjithAntony
The cache doesn't seem relevant but I could test that. Presently my breakdown
is 189MB+21MB , App+data, and 13MB Cache.

    
    
       Uninstalled.
    
       Reinstalled.  (play store reports 30MB download)
    
       Before opening the app  65MB+4KB, 0MB cache
    
       First launch (no sync sign-in) 65MB + 10MB, 60KB cache
    
       Browsed Noisy SSL page (google plus feed):  65MB + 14MB, 13MB cache
       
       Signed into sync: no change  ( 10min later, no change)
    
       Browsed image heavy site (imgur): 65MB + 14MB, 25MB cache
    
    

Does chrome store the old versions on upgrade? That would perfectly explain
why my fresh install is 64MB, and my older isntall was 3x that size.

~~~
derefr
It does on the desktop: Omaha, a.k.a. Google Updater, follows a "keep a few
recent versions around and just symlink the current one" model to enable
atomic upgrades and rollbacks of failed upgrades. If Android Chrome manages
its own updates, it's likely using Omaha for them.

------
paulirish
Just an update from the Google side: As discussed below, any Android users on
4.4+ or running Chrome are not affected. For earlier versions of Android,
we've shipped patches for AOSP:

[https://android.googlesource.com/platform/external/webkit/+/...](https://android.googlesource.com/platform/external/webkit/+/1368e05e8875f00e8d2529fe6050d08b55ea4d87)
[https://android.googlesource.com/platform/external/webkit/+/...](https://android.googlesource.com/platform/external/webkit/+/7e4405a7a12750ee27325f065b9825c25b40598c)

These are in the AOSP branches for jb-dev, jb-mr1-dev, jb-mr1.1-dev, and jb-
mr2-dev.﻿

~~~
schwarze_pest
Does this mean that there will be an update for the Galaxy Nexus?

~~~
aiiane
OS updates for $SPECIFIC_PHONE are generally reliant on the carrier to decide
to push out a patch, even after AOSP itself is patched. So an answer "from the
Google side" can't really answer your question.

~~~
schwarze_pest
The regular carrier-independent versions (Yakju/Maguro and Takju/Maguro) which
are directly supported by Google.

------
downandout
Android has its merits, but more and more I am reminded of this aptly titled
article (proudly mentioned by Tim Cook during the WWDC keynote): " _Android
Fragmentation Turning Devices Into a Toxic Hellstew of Vulnerabilities_ " [1].
These kinds of incredibly serious, system level issues are a significant
competitive disadvantage, and they keep happening. Google needs to build fast
security update requirements into their Android license agreements with device
makers. At least then, when these things are discovered and publicized, tens
of millions of people won't be left vulnerable.

[1] [http://www.zdnet.com/android-fragmentation-turning-
devices-i...](http://www.zdnet.com/android-fragmentation-turning-devices-into-
a-toxic-hellstew-of-vulnerabilities-7000028342/)

~~~
lambda
Note that this isn't an "incredibly serious system level issue." This is an
issue with a browser that Google hasn't supported for several years, since
they replaced it with Chrome. It also doesn't affect alternative browsers like
Firefox or Opera.

Note that if Apple had a similar vulnerability, you likely couldn't work
around it by using an alternative browser, because all browsers are required
to use Safari's rendering engine.

~~~
fulafel
In addition to the Browser app that is still widely use in devices with less-
than-latest Android versions, It's present in every app that uses WebView. And
you only get fixes to WebView via OS updates. (x)

(x) Maybe. Assuming someone bothers to incorporate them into to the OS update
for your device and they make it through the hurdles between the engineer and
OTA update certification.

~~~
lnanek2
WebView uses Chrome as of 4.4 as well. Also many apps that use WebView show
only their own content in it. There are only a couple apps that show user
specified content in app via WebView, like Reddit and HN.

Even if I were to go back to the old Internet app instead of Chrome, this bug
is irrelevant to me since I use an app for GMail, Twitter, Facebook and
anything else important. I can't remember the last time I used the mobile
browser for anything that matters.

~~~
fulafel
It's still a copy of the browser code that comes with the base OS, even if it
dodges the bullet on this bug. The Chromium-based WebView doesn't receive
updates like the Chrome app so will generally contain unpatched
vulnerabilities, so the system level issue remains.

(Note that the rare-to-nonexsistent OS updates are still a problem, this
WebView issue nonwithstanding. They are running old vulnerable Linux kernels
which compromises the app sandbox)

~~~
paulirish
> The Chromium-based WebView doesn't receive updates like the Chrome app

We hope to see that change very soon.
[http://thenextweb.com/google/2013/11/12/google-says-
working-...](http://thenextweb.com/google/2013/11/12/google-says-working-
automatically-updating-androids-chromium-based-webview-just-like-chrome/)

------
javert
I am a big Linux fan and appreciate the openness and control that I can get
with Android as opposed to Apple and Microsoft products, but...

My Android experience has been shit, and I'm really getting sick of it.

Admittedly, much or even most of the problem for me is the OEMs screwing
things up and not sending out updates.

~~~
autism_hurts
You're not the only one. I'm sorry, but the Android issue has devolved into a
holy war but...

.. support is terrible on the Android side. Really terrible.

~~~
blocke
People need to stop buying terrible phones. Consumers keep rewarding companies
who don't keep up with their promises and thus no one ends up giving a crap.

In my opinion if you're not going to buy a Nexus device or a Moto E/G/X then
you might as well buy Apple. The Android One program will hopefully add more
to that.

~~~
robocat
You can only know if it is a "terrible" phone until long after you have bought
it.

Most people don't have the ability to make an informed decision about a phones
purchase (or they want to buy an iPhone or Nexus but they simply can't afford
it).

I bought a Google Nexus at USD650 _retail_ \- a perfect counterexample to your
advice.

I recommend iPhones to those who can afford it (purchase price, insurance,
screen replacements etc.).

I recommend Huawei Y310/320/330 for those who don't have much.

In between there are too many other factors to make a straight recommendation
(e.g. buy second hand iPhone versus a Moto G).

~~~
bad_user
My one year old Nexus 4 is on KitKat. I guess you're talking about the Galaxy
Nexus. While I agree with you that they dropped the support a way too soon,
being the reference phone you'll have no problems in updating it with
CyanogenMod, which is a really good distribution btw.

But as a slight counterpoint, given the fast release cycle, you can't expect
them to support a phone forever. You mentioned iPhones. Well I have an iPhone
3GS. It's a perfectly capable phone that still works and that was still sold
as the low-price alternative after iPhone 4 happened, yet Apple stopped
supporting it as well. But I can understand that, because these OSes get more
bloated with stuff and it leads to a shitty experience. I was able to upgrade
an older Galaxy S (first generation, shipped originally with 2.1) to 4.3 by
means of CyanogenMod and it was unusable due to the less than capable
hardware.

Google did drop the support too early for the Galaxy Nexus, but try out
CyanogenMod. I'm even thinking of installing it on my Nexus 4 because the
Android on this device is bloated with Google-stuff that I cannot uninstall
and it pisses me off. It's also enlightening to install CyanogenMod without
Google Play, for an all open-source experience ;-)

~~~
tuxracer
[http://www.androidheadlines.com/2014/09/galaxy-nexus-will-
li...](http://www.androidheadlines.com/2014/09/galaxy-nexus-will-likely-
cyanogenmod-support-android-l.html)

~~~
bad_user
Ouch. The issue seems to be with " _the OMAP processor from Texas Instruments_
" that makes support difficult. Haven't seen that coming.

------
diminish
As Firefox saved us from dangerous browsing circa 2004m from IE5,6,7, now I
may save us from obsolete Android stock browsers. At least that's what I use.

~~~
ZoFreX
Unfortunately a lot of apps embed the Android browser as well, and you can't
change that.

------
seccess
Does anyone know if WebView is similarly susceptible?

~~~
joev_
I wish I had tested this sooner, but yes, Webview is vulnerable (use
document.write(document.domain) instead of alert() to test). So afaict apps
that embed webview/ads on < 4.4 are at risk.

~~~
ClashTheBunny
How would this be exploited? Can you read the contents of a webview in another
process? Your users would have to navigate somehow to an exploited page (via
an ad)?

------
1ris
>While the AOSP has "been killed off" by Google, it...

I do not follow android closely, but this refers to the browser only, right?

~~~
kllrnohj
The author is also slightly mistaken on that. The AOSP browser is just a UI
shell for WebView, and WebView has absolutely not been killed off. The WebView
in KitKat sits on top of Chromium, for example, so installing an AOSP browser
on KitKat will likely not have this vulnerability.

~~~
fulafel
But it will still have vulnerabilities that have been fixed in current
Chromium.

(In the Chromium WebView FAQ they say they're working on fixing it, but there
are major difficulties.
[https://developer.chrome.com/multidevice/webview/overview](https://developer.chrome.com/multidevice/webview/overview))

------
fidotron
It was a mistake to put Webkit as an operating system level component in the
first place. It would be better if the solution wasn't to push Chromium but a
storage framework style pluggable component, mainly since they can't get stuff
like text sizing right.

Luckily since most vital user info is going to be in apps this doesn't have
nearly the same impact as it would on desktop, but it does represent yet
another demonstration that having the web as a sort of super-platform-on-a-
platform doubles your attack surface.

Android really is comparable to 90s era Windows, in every possible sense. For
better or worse Chrome OS is clearly being positioned as the NT equivalent as
well, but it's hard to see how you can recreate the functionality of Android
without adopting the flaws too.

------
kb120
So the bug is only for a browser that isn't supported by Google? No surprise
that it hasn't been patched. If security is such a big deal to a user they
should use a browser that is supported by a strong development team. Firefox
and Opera Mobile work fine on low end phones.

~~~
untog
"a browser that isn't supported by Google"

But still a browser that was _created_ by Google and was bundled with the OS
until 12 months ago, never mind how long it takes OEMs to roll it out. Android
<=4.3 accounts for 75% of Android users:

[https://developer.android.com/about/dashboards/index.html?ut...](https://developer.android.com/about/dashboards/index.html?utm_source=ausdroid.net)

Just because Google decided not to support it any more doesn't mean they
_shouldn 't_. Pointing out Firefox and Opera is all very well, but this is the
default browser on Android <=4.3, and very few users explore alternative
browsers (Chrome being the exception, to a point).

It's also the browser engine used in embedded webviews, don't forget.

~~~
kb120
Very few people explore other browsers? Alt browsers are often the first app
that people download. Chrome is included in gapps.

~~~
EpicEng
Who, engineers? Certainly not my wife or anyone else I have ever met who isn't
technical.

~~~
kb120
My grandmother managed to switch entirely to Chrome on her PC without the help
of anyone in our family. Anecdotal evidence works both ways. It isn't 1998.
Most people know what a browser is and which one they are using on their
desktop. Making the leap to a second browser on a phone (where they can easily
get it from Google Play) isn't that ridiculous.

~~~
JetSpiegel
Chrome on Desktop has adapted several malware techniques to get installed
without the user noticing. Bundled by default in many installers, including
Flash, installs with user permissions only.

~~~
judk
Example? I worked quite hard to get my grandma to install Chrome.

~~~
EpicEng
>Bundled by default in many installers, including Flash, installs with user
permissions only

Not saying I agree with the Malware comment, though the bundling is annoying.

------
slingerofwheat
Is anyone familiar with the code that allows this vulnerability to be present
and where I can find it(I believe this project is open source)? I understand
the exploit is adding a nullbyte at the beginning of some javascript due to
some bad handling in the parsing code. So I'm looking here:
[https://android.googlesource.com/platform/packages/apps/Brow...](https://android.googlesource.com/platform/packages/apps/Browser/+/master/src/com/android/browser)

~~~
joev_
I don't know the exact location, but it is probably somewhere in the webview
tree, since it affects apps that embed webviews as well:

[https://android.googlesource.com/platform/frameworks/base/+/...](https://android.googlesource.com/platform/frameworks/base/+/jb-
release/core/java/android/webkit/)

~~~
smtddr
Since it's both webview and browser itself, I'd suspect some kind of common
denominator object at fault...
like...[https://android.googlesource.com/platform/frameworks/base/+/...](https://android.googlesource.com/platform/frameworks/base/+/jb-
release/core/java/android/net/UrlQuerySanitizer.java)

Especially with a method called _" public static class
IllegalCharacterValueSanitizer"_.

------
thejdude
The general lack of updates is exactly why I use/install/recommend Firefox.
That and the automatic syncing w/ Desktop and the regular performance
improvements. (Chrome isn't an option. I can't even turn off third-party
cookies. In 2014.)

Too bad it uses quite a few resources and may be too heavy for low-end phones.

------
talos
This is nuts. On a sidenote, any suggestions for an equivalently fast, secure
browser for Android 4.2 on a relatively old phone? Not gonna use AOSP anymore!

~~~
takeda
You can try Opera Mobile Classic, it's important to use classic version since
the new Opera Mobile uses the same engine as chrome so it might have the same
vulnerabilities.

~~~
iancarroll
AOSP != Chrome, right? ...

~~~
dozy
Correct. Chrome is a separate project from the AOSP.

That said, Android 4.4 and later use Chromium for their WebViews, the source
for which is developed along with Chrome as a part of the Chromium project -
it does not live in AOSP.

Presumably the stock browser that _is_ in AOSP 4.4+ wraps Chromium, which more
or less means the AOSP browser _is_ Chrome...but not the other way around. :)

------
pmontra
This leaves us with little alternatives. Tint is affected. Dolphin is
affected. Firefox is just horrible on mobile, come see this page and you'll
understand why (they can't get font inflation right). Chrome and Opera are
what's left. Anything else?

~~~
jarek
I'm using Firefox on Android 4.4 as my full-time browser, it is rather good
most of the time. TBH HN is the only site I can think of that gives me
trouble... and knowing the authors' attitude to HTML I'm prepared to accept
the fault is not Firefox's.

~~~
pmontra
There are many font inflation bugs open on Firefox mobile. One of them was
opened about HN
[https://bugzilla.mozilla.org/show_bug.cgi?id=707195](https://bugzilla.mozilla.org/show_bug.cgi?id=707195)
in 2011. Others are about reddit. Others are about other sites. Firefox didn't
grok a way to handle font inflation in a reasonable way. All the other
browsers did. I quote a Firefox developer:

\------ From a UX perspective, we should really try to fix this somehow.
Reddit and ycombinator look terrible in our browser right now. Some examples:

ycombinator
[http://cl.ly/0l2f2v0p3v0e290J0A0W](http://cl.ly/0l2f2v0p3v0e290J0A0W)

Reddit [http://cl.ly/1M452m2a2D3D04070S1I](http://cl.ly/1M452m2a2D3D04070S1I)

These pages look perfectly fine in stock Browser -- they are a little wonky in
Chrome but still better than us \------

[https://bugzilla.mozilla.org/show_bug.cgi?id=707195#c27](https://bugzilla.mozilla.org/show_bug.cgi?id=707195#c27)

That was 2012-05-01.

~~~
jarek
1) reddit renders fine for me now, zoom is consistent (Firefox 32, Android
4.4)

2) HN uses HTML straight out of 90s (tables nested three deep, spacer images
to indent threads) so I don't mind them not focusing on trying to salvage it.
Also from the comments thread: "to fix this we'd want to know the widths of
the containers of all the text, which requires doing layout on the whole
subtree (or at least a decent part of it), but we need to know the inflation
numbers before we do layout. (It's probably doable by constructing reflow
states for the entire subtree as we walk it, but that would be a significant
performance hit that I don't think we want to take.)" Don't abuse tables and
you won't have a problem.

------
helpbygrace
Use Chrome.

~~~
lucb1e
Use Firefox.

Why? Chrome isn't open source, if you care about that kind of thing. And
personal preference also.

~~~
jonknee
[https://code.google.com/p/chromium/wiki/AndroidBuildInstruct...](https://code.google.com/p/chromium/wiki/AndroidBuildInstructions)

~~~
gress
That's not chrome.

~~~
azernik
It is very very close:
[https://code.google.com/p/chromium/wiki/ChromiumBrowserVsGoo...](https://code.google.com/p/chromium/wiki/ChromiumBrowserVsGoogleChrome)

tl;dr: Chromium is Chrome minus:

1\. Crash/usage reporting to Google.

2\. Proprietary video format support

3\. Embedded Flash implementation (which doesn't exist on mobile anyway).

4\. Google API keys.

If what you care about is security auditability, that's pretty good. If you
care about running only open source software, that's going to be very hard to
do in the Android/Google-Play ecosystem.

~~~
gcb0
> If you care about running only open source software, that's going to be very
> hard to do in the Android/Google-Play ecosystem.

yet, the main advertisement google trhows for android is "open source"
"community driven" yadda yadda

~~~
azernik
Main advertisement? I just went to android.com and developer.android.com;
android.com advertises "Google built in" and lots of platforms, with a very
small link to AOSP at the bottom of the page; developer.android.com has an
AOSP link buried in its menus.

~~~
gcb0
oh sorry. advertised.

we have already been baited and switched. but marketing takes a long time to
dissipate...

here, i just clicked 2010 and clicked a random day for android.com

[http://web.archive.org/web/20100112200506/http://www.android...](http://web.archive.org/web/20100112200506/http://www.android.com/)

the 1st block is about the nexus one (market as open, but not on this page)
and look! the second item on the page reads "Access to the entire platform
source and information on how to contribute."

guess they forgot an asterix there saying that the "entire platform" means
some of the platform.

------
Shofo
If only Meego took off.

