In association with heise online

03 August 2011, 11:40

Android browser vulnerable to "Cross Application Scripting"

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Android Security icon IBM researchers have found that it is possible for third party applications to inject JavaScript code into instances of the Android browser. According to a paperPDF published by the researchers, the vulnerability exists in Android 2.3.4 and 3.1 and is believed to exist in earlier versions.

The browser holds sensitive information such as cookies, cache and history, and injected JavaScript could make it possible to extract that information, indirectly breaking the Android sandbox architecture. The attack exploits flaws in how the browser reacts to calls to view web pages from other applications.

The researchers outlined two scenarios, one where the maximum number of tabs was open and one where two requests to the browser were sent in quick succession. They offered a proof of concept for the latter scenario, which involved the browser being opened to a specified URL and then being asked to execute some JavaScript; a malicious application would be able to harvest information about how a user interacts with the site at the specified URL.

IBM demonstrates the proof of concept for Android Cross Application scripting

It is suggested that an attacking application could also install itself as a service, which would allow it to inject JavaScript into the currently opened tab which could make an attack more effective. However, an attack would require that the user had downloaded and installed a malicious application which used the technique. The bug behind the flaw, found in the Browser's onNewIntent() method, is fixed in Android 2.3.5 and 3.2 and patches will be made available for Android 2.2.x.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit