Android Browser Security--What You Haven't Been Told

Google cannot and will not patch these or other bugs, because the Android patch process is both technically and politically (too) difficult—in Google's own words, patches are "no longer practical to do safely". Google regularly abandons large segments of the Android base, and the above design flaws now infect more than 50% of Android devices. As of April 4, 2016, KitKat is 33.4% of the total Android base; Jelly Bean is 21.3%, and earlier versions sum to 4.9%. Web browsing of sensitive data on those platforms is unsafe if the system libraries are involved.

This problem is exacerbated by wireless carriers who still stock KitKat, Jelly Bean and earlier versions. Even the largest of carriers are guilty of this activity, and they include no disclosure that these older OS versions have weak, exploitable encryption and a slew of other flaws, which place them at a severe disadvantage for sensitive traffic. Some carriers spend far more effort in locking phones with bootloaders that require kernels bearing digital signatures than they have ever spent on security patches.

Original Equipment Manufacturers (OEMs) cause equal trouble. Although many "stock browsers" in various versions of Android use the system WebKit, some OEMs build separate versions of WebKit for their branded browsers that exhibit the same (lack of) support as shown by Google. OEM/vendor browsers also cannot be trusted with sensitive data.

The US Federal Communications and Trade Commissions (FCC and FTC) have announced a joint investigation into Google and its partners over the lack of security updates for Android, which may result in future architecture changes but is unlikely to secure the older releases. Ideally, the FCC would compel carriers and OEMs to release signing keys for phones that have gone without security patches for more than six months, giving users of abandoned phones the option of third-party security support.

Had Microsoft taken the final Trident rendering engine from Windows XP's Internet Explorer and locked it to 50% of the Windows user community while actively preventing updates, the condemnation would have been fierce and brutal. The time has come to recognize that what Google has done is far worse—XP and KitKat support ended within a few months of one another, but Microsoft does not allow XP to proliferate through third parties as Google does with its orphaned products.

It was likely with some measure of relief that Apple and the WebKit team greeted the news that Google was forking the code, forming the BLINK engine and leaving the project. Google has the worst security record of any large WebKit implementation. Although other Linux distributions also lag on WebKit security, none has the ubiquity of Android. Google's departure will only improve WebKit's security standing.

The Plague Spreads

A number of browsers in the Google Play Store are reputedly faster and more feature-rich than Chrome. Some even assert greater security, which I soon will refute here. Chrome is generally seen as a conservative choice by app review sites, and it is rarely listed in first place in Android browser reviews.

These faster browsers often simply wrap new UI controls around the system WebKit, and thus inherit all of the security flaws of the Android version upon which they run.

Browsers that run with degraded security, as tested on Jelly Bean and reported by the Qualys SSL Scanner, include Apus, Apus Turbo, Best Browser, Boat Browser, Brave (Link Bubble), CM Browser, Dolphin, Dolphin Zero, Easy, Flynx, Flyperlink, Ghostery, Javelin, Maxthon, Mercury, Naked Browser, Next Browser, Ninesky, Safe Browser and UC Browser. These browsers are to be avoided on 4.4 KitKat and lower versions of Android. See Table 1 for details.

Table 1. Browser Security Comparison

Browser Version FREAK Logjam POODLE RC4 TLS 1.2
Apus 1.4.9 Vulnerable Vulnerable Vulnerable Yes No
Apus Turbo 1.4.7.1003 Vulnerable Vulnerable Vulnerable Yes No
Best 1.5.1 Vulnerable Vulnerable Vulnerable Yes No
Boat 8.7.4 Vulnerable Vulnerable Vulnerable Yes No
Boat Mini 6.4.6 Vulnerable Vulnerable Vulnerable Yes No
Brave (Link Bubble) 1.9.19 Vulnerable Vulnerable Vulnerable Yes No
CM Browser 5.20.44 Vulnerable Vulnerable Vulnerable Yes No
Dolphin 11.5.6 Vulnerable Vulnerable Vulnerable Yes Yes
Dolphin Zero 1.3 Vulnerable Vulnerable Vulnerable Yes No
Easy 3.0.2 Vulnerable Vulnerable Vulnerable Yes No
Firefox 46.0.1 Safe Safe Safe No Yes
Flynx 2.0.1 Vulnerable Vulnerable Vulnerable Yes No
Flyperlink 1.36.RC4 Vulnerable Vulnerable Vulnerable Yes No
Ghostery 1.3.3 Vulnerable Vulnerable Vulnerable Yes No
Google Chrome 50.0.2661.89 Safe Safe Safe No Yes
Javelin 4.1.11 Vulnerable Vulnerable Vulnerable Yes No
Maxthon 4.5.9.3000 Vulnerable Vulnerable Vulnerable Yes No
Mercury 3.2.3 Vulnerable Vulnerable Vulnerable Yes No
Naked 1.0 Build 114 Vulnerable Vulnerable Vulnerable Yes No
Next 2.11 Vulnerable Vulnerable Vulnerable Yes No
Ninesky 5.2.0 Vulnerable Vulnerable Vulnerable Yes No
Opera 36.2.2126.102826 Safe Safe Safe No Yes
Opera Mini 16.0.2168.103662 Vulnerable Vulnerable Vulnerable Yes No
Power 48.0.2016042602 Safe Safe Safe No Yes
Puffin 4.7.4.2567 Safe Safe Safe Yes Yes
Safe Browser 1.17 Vulnerable Vulnerable Vulnerable Yes No
UC Browser 10.9.8.770 Vulnerable Vulnerable Vulnerable Yes Yes
Yandex 16.2.2.7988 Safe Safe Safe No Yes
Yolo 1.0.1.83 Safe Safe Safe No Yes
______________________

Charles Fisher has an electrical engineering degree from the University of Iowa and works as a systems and database administrator for a Fortune 500 mining and manufacturing corporation.