Comment: We are still vulnerable to JavaScript code injection
=================================================================================================
By Lucian ConstantinAugust 1, 2014 12:54 PM ET IDG News Service - Security researchers have recently found a vulnerability that could be used to hijack Android apps and devices, but an older issue that can have the same effect remains a significant threat nearly two years after its discovery, according to security firm Bromium.
The issue was reported in December 2012 and concerns an Android API (application programming interface) called addJavascriptInterface that allows applications to expose their native code to Web code running inside a WebView, an instance of Android's Web browser engine.
A large number of applications and advertising frameworks embedded into applications use WebView to display Web content loaded from remote servers -- for example, ads. The problem is that many of these apps don't load the WebView content over an encrypted HTTPS (HTTP Secure) connection.
This lack of data transport encryption allows attackers who intercept connections coming from such an app to inject rogue JavaScript code into its traffic. This is known as a man-in-the-middle attack and there are several methods to pull it off, especially on wireless networks.
ComputerWorld/ Full Article Here/ http://www.computerworld.com/s/article/9250110/Android_vulnerability_still_a_threat_after_nearly_two_years
Userlevel 7
The following article is a update.
Lucian Constantin Oct 8, 2014 8:48 AM Around 45 percent of Android devices have a browser that is vulnerable to two serious security issues, but some countries have a considerably larger percentage of affected users than others, according to data from mobile security firm Lookout.
The two security issues were discovered over the past month by a security researcher named Rafay Baloch and were described as a privacy disaster by other researchers. They allow an attacker to bypass a core security boundary, called the same-origin policy (SOP), that exists in all browsers.
The SOP prevents scripts from one domain from interacting with data from a different domain. For example, scripts running on a page hosted on domain A should not be able to interact with content loaded on the same page from domain B.
PCWorld/ Article/ http://www.pcworld.com/article/2823012/almost-half-of-android-devices-still-have-a-vulnerable-browser-installed.html
(Nearly half of all Android devices are still vulnerable to two serious browser exploits)
Lucian Constantin Oct 8, 2014 8:48 AM Around 45 percent of Android devices have a browser that is vulnerable to two serious security issues, but some countries have a considerably larger percentage of affected users than others, according to data from mobile security firm Lookout.
The two security issues were discovered over the past month by a security researcher named Rafay Baloch and were described as a privacy disaster by other researchers. They allow an attacker to bypass a core security boundary, called the same-origin policy (SOP), that exists in all browsers.
The SOP prevents scripts from one domain from interacting with data from a different domain. For example, scripts running on a page hosted on domain A should not be able to interact with content loaded on the same page from domain B.
PCWorld/ Article/ http://www.pcworld.com/article/2823012/almost-half-of-android-devices-still-have-a-vulnerable-browser-installed.html
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.