DOC RABE Media - Fotolia
How can I mitigate the risks of alternative Android browsers?
Expert Michael Cobb explains the security risks surrounding alternative Web browsers, as well as approaches enterprises can take to prevent BYOD employees from using them.
A recent study revealed that many alternative Android browsers pose multiple security risks. What are the issues surrounding alternative browsers, and what is the best way to prevent our organization's BYOD employees from using them?
Despite Android devices having a preinstalled browser, many users like to install a browser of their own choice. Browsers from major vendors like Firefox and Opera are available for Android, but so too are dozens of so-called "alternative browsers" -- such as UC Browser, Dolphin Browser, Maxthon and Puffin -- which have been downloaded millions of times by users around the world. Some browsers are considered faster or have more customizable features than the built-in browser, while others minimize bandwidth consumption for those concerned about roaming charges.
Worryingly, for enterprises operating BYOD environments, research by VerSprite Inc. on 10 of the most popular alternative Android browsers available in the Google Play Store found at least one major security vulnerability in each of them. Vulnerabilities included SQL injection, storing OAuth tokens and passwords in plaintext, and insecure use of the intent URL function. These potentially serious flaws put data on the device at risk and are mainly due to poor coding by the teams that developed the alternative browsers.
For example, the most widespread vulnerability found by VerSprite is related to Android's intent functionality. The purpose of the intent URL function is to make it possible for Web-based applications to interact with installed apps, such as tapping a link in a browser and having it open a social profile in the related Android app on the device. While a useful feature, if it's not implemented correctly, it can be leveraged by hackers to steal authentication data, cookies and data from other apps on the device. While there is ample documentation available on how to correctly implement intent URL functionality -- and it only takes four lines of code to filter malicious intents -- developers are clearly not taking the time to understand the potential vulnerabilities certain functions can introduce and how best to protect their users.
Another problem is developers need to ensure their code works as expected on an ever-increasing number of Android devices; a 2014 survey by OpenSignal Inc. identified 18,796 unique Android devices using its software. Combine this diversity of devices with the various versions of Android that users are running and you have a very fragmented ecosystem.
This fragmentation also presents a problem to administrators trying to keep enterprise networks and data secure while allowing employees to bring their own devices. BYOD policies should encourage employees to keep their devices up to date, particularly given Google's decision to no longer provide security patches for WebView vulnerabilities on devices running Android Jelly Bean (4.3) or earlier. (WebView is a core component of the Android operating system used to render Web-based content.) Given the security issues raised by VerSprite's research, BYOD policies should state which alternative browsers are acceptable to be used as the device's default browser and block network access to devices using unapproved browsers.
Having an innovative community of developers is important for creating new products and offering users choices, but innovation has to include security. Mozilla Firefox and Google Chrome browsers downloadable from Google Play may not be flawless, but security is very much part of the mature software development process practiced by their creators. Even so, enterprises should always risk assess software accessing corporate resources, particularly software from new or unknown developers.
Ask the Expert
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)