Android 5.0 Lollipop, set to be released in November, fixes a design
issue in Android KitKat that left the OS exposed to newly-disclosed bugs
in the Chromium project.
Google has quietly introduced a fairly important change for Android devices going forward from Android 5.0, stemming from a new way of updating WebView, a system component of Android which developers can use to display web content in their apps.
As Google flagged last week, WebView in Lollipop will be updated through Google Play. In all versions of Android, WebView has been bundled with Android firmware. From a security standpoint, that wasn't good, because if a new flaw was found in WebView, the only way a fix would reach end-users was through the unwieldy process of delivering it from Google to OEMs and carriers and finally, if ever, to the end user.
A case in point was discovered earlier this year where a WebView exploit affecting Android versions 4.2 and below which then left 70 percent of Android devices vulnerable to an attack that only required a user to capture a malicious QR code to give 'shell command' to the attacker. An app compromised this way would give the attacker all they needed to steal contacts, pictures, and manipulate data on the device.
Then in July this year came the FakeID bug, an Adobe System WebView plugin privilege escalation, which affected all versions of Android below KitKat (version 4.0). The security firm that found that flaw, Bluebox, has a detailed writeup here, but basically malware could use Adobe's web view plugin to impersonate Adobe and gain its privileges on a device.
More recently, a WebView bug in the built-in browser with Android 4.3 and below left users exposed to spying or session hijacking, spelling a potential privacy disaster if it was exploited.
The reason none of the flaws affected KitKat was due Google moving WebView from WebKit to its fork of Webkit based on the Chromium project, giving it access to more modern browser features. But as Android Police pointed out recently, KitKat still retained the same model whereby security patches for WebView were still tied to the OS.
Security experts that have spent time digging around WebView have given the change in Android 5.0 a big thumbs up.
"It's an awesome security feature. It would have allowed 4.3 and below phones to be patched from all the universal cross-site scripting and remote code execution vulnerabilities we found without requiring a full vendor update, which is what prevents most users from updating," Joe Vennix, a researcher at security firm Rapid7, told ZDNet.
"In Android 4.4, WebView's internal implementation is replaced by Chromium's fork of WebKit. This fixed some vulnerabilities that were only present because Android's WebKit library was so far off Webkit master and was not receiving proper security fixes from upstream. Hopefully using Chromium instead of WebKit will mean more frequent updates from upstream."
"In Android L, Chromium implementation is allowed to auto-update without needing a full vendor or OS update. That way, browser security is placed back in the hands of Google, rather than requiring an intermediary re-build from the vendors."
But, Accuvant security researcher Joshua Drake, also points out that providing WebView updates through Google Play fixes a weird problem that Google introduced when it moved to Chromium. "The Chrome team discloses bugs on a regular basis and leaves Android's built-in webkit exposed to bugs," said Drake.
Essentially, fixing one project endangered another by providing hackers with the tools to create an exploit. "Chromium publicly discloses their own bugs all the time and if the user cannot update, their disclosures are essentially providing exploits that cannot be patched," said Vennix.
Google has quietly introduced a fairly important change for Android devices going forward from Android 5.0, stemming from a new way of updating WebView, a system component of Android which developers can use to display web content in their apps.
As Google flagged last week, WebView in Lollipop will be updated through Google Play. In all versions of Android, WebView has been bundled with Android firmware. From a security standpoint, that wasn't good, because if a new flaw was found in WebView, the only way a fix would reach end-users was through the unwieldy process of delivering it from Google to OEMs and carriers and finally, if ever, to the end user.
A case in point was discovered earlier this year where a WebView exploit affecting Android versions 4.2 and below which then left 70 percent of Android devices vulnerable to an attack that only required a user to capture a malicious QR code to give 'shell command' to the attacker. An app compromised this way would give the attacker all they needed to steal contacts, pictures, and manipulate data on the device.
Then in July this year came the FakeID bug, an Adobe System WebView plugin privilege escalation, which affected all versions of Android below KitKat (version 4.0). The security firm that found that flaw, Bluebox, has a detailed writeup here, but basically malware could use Adobe's web view plugin to impersonate Adobe and gain its privileges on a device.
More recently, a WebView bug in the built-in browser with Android 4.3 and below left users exposed to spying or session hijacking, spelling a potential privacy disaster if it was exploited.
The reason none of the flaws affected KitKat was due Google moving WebView from WebKit to its fork of Webkit based on the Chromium project, giving it access to more modern browser features. But as Android Police pointed out recently, KitKat still retained the same model whereby security patches for WebView were still tied to the OS.
Security experts that have spent time digging around WebView have given the change in Android 5.0 a big thumbs up.
"It's an awesome security feature. It would have allowed 4.3 and below phones to be patched from all the universal cross-site scripting and remote code execution vulnerabilities we found without requiring a full vendor update, which is what prevents most users from updating," Joe Vennix, a researcher at security firm Rapid7, told ZDNet.
"In Android 4.4, WebView's internal implementation is replaced by Chromium's fork of WebKit. This fixed some vulnerabilities that were only present because Android's WebKit library was so far off Webkit master and was not receiving proper security fixes from upstream. Hopefully using Chromium instead of WebKit will mean more frequent updates from upstream."
"In Android L, Chromium implementation is allowed to auto-update without needing a full vendor or OS update. That way, browser security is placed back in the hands of Google, rather than requiring an intermediary re-build from the vendors."
But, Accuvant security researcher Joshua Drake, also points out that providing WebView updates through Google Play fixes a weird problem that Google introduced when it moved to Chromium. "The Chrome team discloses bugs on a regular basis and leaves Android's built-in webkit exposed to bugs," said Drake.
Essentially, fixing one project endangered another by providing hackers with the tools to create an exploit. "Chromium publicly discloses their own bugs all the time and if the user cannot update, their disclosures are essentially providing exploits that cannot be patched," said Vennix.
No comments:
Post a Comment