IBM researchers spot serious Android browser injection vulnerability

According to Roee Hay and Yair Amit of IBM's Rational Application Security Research Group, this means that a malicious, non-privileged application could break into the browser URL loading process and its allied sandbox to inject JavaScript.

This is potentially very serious, Infosecurity notes, as the sandbox element of the browser environment seen on Android is supposed to defend the smartphone/tablet platform against this type of attack.

The researchers note that the vulnerability "has the same implications as global XSS, albeit from an installed application rather than another website."

The IBM security researchers go on to say that Android 2.3.5 and 3.2 have been released and which incorporate a fix for this bug.

Patches are also available for Android 2.2 and will, they note, be released at a later date.

So how does the sandbox environment become subverted?

Android applications, say the researchers, are executed in a sandbox environment, to ensure that no application can access sensitive information held by another, without adequate privileges.

For example, they note, Android's browser application holds sensitive information such as cookies, cache and history, and this cannot be accessed by third-party apps.

"An android app may request specific privileges during its installation; if granted by the user, the app's capabilities are extended. Intents are used by Android apps for intercommunication", the researchers say in their security posting.

"These objects can be broadcast, passed to the startActivity call (when an application starts another activity), or passed to the startService call (when an application starts a service). Normally, when startActivity is called, the target activity's onCreate method is executed", adds the posting.

However, the researchers go on to say, under AndroidManifest.xml it is possible to different launch attributes, which affect this behaviour.

One example is the singleTask launch attribute, which makes the activity act as a singleton. This, they note, starts the startActivity call: if the activity has already been started when the call is made, the activity's onNewIntent member function is called instead of its onCreate method.

The researchers have posted a video detailing the scale of the problem.

What’s Hot on Infosecurity Magazine?