Security Vulnerability In Chrome For Android Discovered

[janner43]

UberGizmo: Security Vulnerability In Chrome For Android Discovered

As much as developers try to make their apps as secure as possible, from time to time there will be flaws discovered. Sometimes these flaws aren’t particularly serious, but sometimes they can be pretty bad. Recently during the PacSec conference in Tokyo, Qihoo 360 developer Guang Gong discovered a particularly nasty vulnerability in Chrome for Android.

Gong reportedly worked the exploit for about 3 months and basically what happened is that the vulnerability targets the app’s JavaScript engine. From there, all the hacker would need to do is direct the user to a website that can exploit the vulnerability and the JavaScript hack will do the rest of the work.

This includes the ability to install apps onto the user’s phone completely without their knowledge. Gong demonstrated the vulnerability to a Google representative who saw it in action. Thanks to his discovery, Gong has since been rewarded with a trip to Vancouver for the CanSecWest Applied Security Conference and where he will also be able to enjoy a ski trip.

As for the vulnerability itself, it is contained only to the app, so for those worried about it being a bigger and system-wide issue like Stagefright, you can rest assured that it’s not. Details of how to work the exploit were naturally unpublished so there is a good chance that it might not even be in the wild yet, so hopefully Google will push out an update soon before someone else figures it out.

Source: Security Vulnerability In Chrome For Android Discovered | Ubergizmo

[Tor]

I've been wondering about this - does it only affect the Android browser app actually known as 'Chrome', or also the 'Android' (standard) browser? Because the latter identifies as Chrome when visiting some sites. I could update the "Chrome" app, but I don't really use that browser - it's big and bloated, and wants to be active at all times. The built-in browser is the one I use all the time, but that one can't be updated..

-Tor

[droidbound]

I would bet the stock browser shares a lot with Chrome or is based off it.
I just flashed a stock based rom from 2014 to the TF700 and I am using the stock browser. When I access the Google search page I get the notification below in the title bar. Not that I think this update addresses the Java vulnerability, but it looks as if you do get security updates that way. Maybe?

[Tor]

Nope, that just takes you to a download page for desktop Chrome (listing Debian/Ubuntu/Fedora etc), or 'other platform' where you find iOS and Android. The Android link takes you to Chrome on Play, which is that bloated, different browser I mentioned, and not the stock Android browser.

[janner43]

Didn't Google start shipping native Android with Chrome as the browser rather than the original Android version quite a few iterations ago? They have probably not touched the "native" browser since then.

[Tor]

That is possible - I wouldn't know, as Android for the TF700T is at 4.x.. unlike desktop operating systems, mobile users are very quickly abandoned by vendors w.r.t. security updates (or any updates). But it is a bit surprising that Google wouldn't update the stock browser which has been in use for so many Android iterations (as in this case they could, as it's just an app and not vendor-modified firmware). Or at least it would be nice to know if this browser's javascript implementation is affected by this security issue. (On the other hand I wouldn't be happy as an Android user if indeed the Chrome browser is now default. It's not a nice browser for Android. Works well on the desktop - I'm using it now - but I definitely don't like it on Android).