“Keeping software up to date is one of the greatest challenges in security,” Adrian Ludwig wrote. Because the browser App is based on a version of the WebKit browser engine that’s now more than two years old, fixing the vulnerability in Android Jelly Bean and earlier versions is “no longer practical to do safely”
Google’s Chief of Security Adrian Ludwig in a Google+ post on Friday January 23rd 2015 commenting on Google’s Decision not to fix a security hole in Google Android Default Browser
There is a security flaw in the Google Android Default Browser – not Google Chrome for Android, you have to download that as a free App – that is on 60% of Android smartphones.
Personally I knew this was coming from the first article back in August 2014 that I did on Google’s Fragmentation problem nicely titled Android KitKat beats Jellybean in the Fragmented World of Android smartphones.
After all, why would Google’s Android Developers Dashboard Group put out the stats so publicly anyway? Maybe because they were not only confirming the fact that the fragmentation issue was real, but possibly giving us a heads up as to what you must do to be a true Android Fan: Upgrade to the latest version!
So what does Google plan to do about this? Again as the title says nothing!
Google has no fix for Android Browser – Google’s Chief of Security is not Drunk
Surprisingly , Google has no plans to fix this flaw, which at 60%, means it’s on 2/3rds of Android devices from Google Android 2.2 Froyo which is on 2.2% of devices to Google Android 4.4 KitKat which is on 33% of all devices as per the latest stats from the Android Developers Dashboard as presented in my article Android Lollipop on the Fences as KitKat munches away at Jellybean.
To say that the premise of my title is outrageous is probably an understatement that will echo with Android users for the rest of the year. Not predicting any mass defection, just seething masses of outrage, especially among Americans!
According to Google’s Chief of Security Adrian Ludwig in a Google+ posted on Friday January 23rd 2015 statement, Google has no plans to fix this vulnerability as they can no longer safely fix it, being as it’ll expose million of their devices to hackers. Not to mention brick your Android Smartphone and bring down the house on Google.
Why do I smell a Class Action Lawsuit coming out of this? But still what is this flaw?
Google Android Browser Flaw – API Call plays fetch means Dog can return with Stick of Dynamite
The flaw relates to an API Call to fetch data from a Cloud Server or Website to upload data for a Leaderboard, keeping track of everything from gaming scores, storage of personal information like Credit Card, Social Security numbers possibly relating to registering your account to make an in-App purchase.
Hackers, once they know of this vulnerability, can use it to send false instructions to your smartphone via the App, getting you to give up personal information, such as Social Security Numbers and Credit card information and even installing back door Apps and keyloggers to steal your passwords for your various accounts.
Like the title suggests, you send an API Call to a Cloud Server to get a stick and your Dog i.e. the Cloud Server, returns with a Stick of Dynamite.
Kablooey! You’re hacked!
Yes, in case you thing he was drunk in a Bar in Palo Alto California and posted this, it IS the Official position of Google. They are not fixing this flaw. Like ever!!!
Android Browser Flaw long in the Making – Too Many Candymakers spoil the broth
As you can tell, I’m on fyah with these puns today!
Personally, this doesn’t surprise me, as they have a serious fragmentation problem, which as many of my reader might be aware.
I’ve been tracking with a series of blog article, the latest being one in February 2015 titled Android Lollipop on the Fences as KitKat munches away at Jellybean, where I highlighted the fact that Google Android 4.4 Kitkat was finally gaining traction even as Google Android 5.0 Lollipop was just starting to make a splash onto the scene.
As I’d mentioned before, at 60%, that basically all devices running Google Android 4.2 Jellybean or older. This implies that the newer versions of Google Android, that being Google Android 4.4 Kitkat and Google Android 5.0 Lollipop that’s not even out as yet in the wild.
Confused? This History Website of Google Android Versions will get you up to speed!
Ok, so back to it, lads!
That they have problems policing so many devices with old or obsolete version of Android doesn’t come as surprise to Engineering Manager at Security firm Rapid7, Tod Beardsley, as per this quote from his blog post on the issue, quote: “Unfortunately, this is great news for criminals for the simple reason that, for real bad guys, pretty much everything is in scope”.
Part of the problem too is that Google has no control over what version of Android that Developers will use in their devices. Even when they make the latest version of the SDK (Software Development Kit) for Android, which in this case is Google Android 5.0 Lolllipop, many Developers opt for the older versions due to fears over bug fixes and stability issues.
What Google’s Chief of Security Adrian Ludwig recommends – What you should REALLY do
Cost is also an issue, as a Tablet or smartphone with the latest OS is usually priced higher, with low-end devices i.e. smartphones and Tablets running older versions of Android, father increasing the fragmentation problem. So Google’s Chief of Security Adrian Ludwig makes a very strange recommendation to peeps on Google Android 4.3 Jellybean or older to do the following:
- Use Google Chrome for Android, specifically if you had Google Android 4.0 Ice Cream Sandwich
- Use Mozilla Firefox for Android, specifically if you had Google Android 2.3 Gingerbread
This isn’t gonna work, as the flaw is pretty common to almost all Apps. Thus, again the wise and trusty Google’s Chief of Security Adrian Ludwig recommend that Developers restrict their Apps from loading content via this API website call.
Effectively, they’ll have to send out update for their Apps to NOT make a API call to link back to their websites, possibly having to make the App download large binary files filled with data that would otherwise be stored in the Cloud , reference whenever needed.
Alternately, the Apps on the Android smartphone or Tablet will have to resort to using stronger encryption as well as change the Ports or Channels in the TCP/IP Framework that they use to communicate with their Cloud Servers.
This’ll certainly complicate thing but one thing is clear.
The fact that Google is taking such a hands-off approach to this issue implies that they’re basically forcing customer to either upgrade to Google Android 4.4 KitKat, if their device can be upgrade or buy a new device Google Android 5.0 Lollipop.
I suspect in doing this, they’re hoping to solve the fragmentation problem and thus rid themselves of the older bug ridden Google Android 4.3 Jellybean or older Tablets and Smartphone by placing the ball in the court of Developers and users…….without actually saying so.
Like I said, I smell a Class Action Lawsuit coming!
Here’s the link:
Like the post above? Check out these related posts: