back to article Renegade Android apps can siphon off your web logins, browser history. So make sure Chrome or OS is patched, friends

Smartphones and other gadgets running Android 4.4 or later contain a bug that can be exploited by rogue apps to steal website login tokens and spy on owners' browsing histories. Those stolen authentication tokens can be used by a malicious application, such as a dodgy quiz app or game, to log into sites as the gizmo's owner to …

  1. Version 1.0 Silver badge
    Joke

    JAB

    Just Another Bug ... bugs are normal, I'd be a lot more worried if they were claiming that the software was completely bug free. Bugs are normal, eventually we find them and fix move them - works fine until someone notices where they were moved to. I've never seen software that was bug-free but I have seen bugs that were software-free ... at least it looked that way.

  2. mark l 2 Silver badge

    On my Marshmallow based device when I looked on Google Play for webview I wasn't given an option to update, but rather to install the app as if it weren't there already. Which appears to go against what the article was saying that it is a system app.

    I do have Chrome installed as well which had been automatically updated.

  3. ThatOne Silver badge

    More information please?

    I understand everybody uses Chrome since it comes bundled with everything, but what about people using Firefox?

    Does Firefox use WebView too, and is it vulnerable in the same way?

    (Yes, my Android phone has Chrome installed (obviously), but I never ever even fired it up.)

    1. diodesign (Written by Reg staff) Silver badge

      Re: More information please?

      Firefox on Android is fine - it uses its own engine. Anything that uses Webview and/or Chrome is affected. Just a heads up, TBH.

      C.

      1. doublelayer Silver badge

        Re: More information please?

        Chrome could also be launched by a malicious link or app, although if you've set Firefox as the default browser that's less likely. I think an app can still select which browser opens a page, though, which could be a potential vector. Still, it's a lot less likely to be done.

      2. Dan 55 Silver badge

        Re: More information please?

        However Firefox Focus is a Webview wrapper but it doesn't store history or logons.

      3. Jamie Jones Silver badge

        Re: More information please?

        Earlier versions of lollipop (and i'm guessing anything before that) don't allow webview to be updated via the playstore. You can install webview, and update it, but it will never be used, as the pre-installed versions path is hardcoded.

    2. Jamie Jones Silver badge

      Re: More information please?

      Bear in mind that "webview" is a generic html rendering library that any other apps you have can use to render HTML within the app itself, so it's not just about "firing up a browser"

  4. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921 Bronze badge

    Security on Android is such a sh*tshow that I often wonder if the platform was designed specifically to facilitate such.

    1. Jamie Jones Silver badge

      I agree. And at least as far as 5.1 lollipop, many permissions could be gotten around. It was easy for any app with no granted permissions at all to get things like mac address, and router mac address.

      These days, the play store groups permission requests to make them "simpler" - grant a permission group, and any subsequent app update can specify any other app in that group and it will be granted without the users knowledge.

      Oh, and internet access is a given now. I've seen all sorts of abuses by even "respectable" companies... It's all rather like the facebook situation, where facebook 'trusted' third-parties not to abuse overly permissive permissions.

      It's intrinsic. The only way to have any chance of control is to block all apps internet access at the unix level, or via the router (though the latter option makes it harder to allow specific apps access!)

    2. dajames Silver badge

      The software isn't the problem, it's the (lack of) updates!

      Security on Android is such a sh*tshow that I often wonder if the platform was designed specifically to facilitate such.

      Security on pretty-much everything is bad, because most people don't understand the issues so and won't spend the time and money necessary to address them.

      I'd agree that Security is worse on Android than on many other platforms -- but that's not because Android has noticeably more bugs or exploits, it's because many Android users are unable to get updates for their devices. Even when Google have fixed a problem the update won't necessarily be made available in a timely fashion (or at all!) on the devices people are using, especially devices running older versions of Android (such as KitKat, as cited in the article).

      1. John Brown (no body) Silver badge

        Re: The software isn't the problem, it's the (lack of) updates!

        "especially devices running older versions of Android (such as KitKat, as cited in the article)."

        Yep. Galaxy Note 2 here. Not seen any updates in years.

  5. dajames Silver badge

    How does this work?

    Does this bug enable an attacker to steal credentials as they are entered, or does it just steal them from the "remembered passwords" store that the browser manages?

    In other words: If I never allow the browser to remember any login credentials, am I safe from this exploit?

  6. anoco

    "Discovered" Obsolence

    It took a while but they finally figured out a way to force people to buy newer phones and tablets. This webview update,

    (https://play.google.com/store/apps/details?id=com.google.android.webview)

    that the article should have named "Android System Webview" instead to stop people from installing someone else's webview app, is not really compatible with older Android versions. My 4.4 tablet for example, is not compatible. I still need to look at my other older devices, but I have this nagging feeling that the result will be the same.

    Since the manufacturers will never update anything older than one year, and Google's updates are not compatible with older OSes, we're just sitting ducks ala W98 and W2k.

    So if you're happy with your hardware, the only solution for this problem is to stop entering any passwords on your browsers. I'm sure there are other browsers using webview as well.

    But how about other apps? Are non-browser apps be using webview as well?

    1. diodesign (Written by Reg staff) Silver badge

      Android System WebView

      Thanks - will tweak the article.

      C.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019