Software update delays are an inevitability because of the way the Android ecosystem is built, but these delays aren’t just an annoyance for Android users — they can be dangerous. A bug was discovered by security researcher Rafay Baloch in early September, and it caused Android’s stock web browser to fail to enforce same origin policy (SOP), which is a protocol that governs how browsers securely load content from multiple sources. The bug impacted all pre-KitKat devices, and it was patched fairly quickly by Google.
But because it takes so long for handset makers and carriers to test and distribute Android updates, a new study has determined that nearly half of all Android phones are still affected by the bug.
As noted by ZDNet, Rapid 7 security researcher Todd Beardsley described the bug as a “privacy disaster,” making it so that “any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page.”
According to the security experts at Lookout, the bug still affects about 45% of Android phones and tablets running Lookout software. This is likely a very good gauge, as Lookout’s software is currently in use on more than 100 million devices.
“We believe our userbase offers a good look at how Android users overall are being affected by vulnerabilities such as this one,” Lookout’s Jeremy Linden and Meghan Kelly wrote in a blog post. “Our country-by-country data reveals some surprising stats about where people are most vulnerable. Japan is the most vulnerable with 81% of Lookout users in the region with the unsafe browser installed. Spain takes second place with 73%. Phones in those regions may receive updates less frequently, thus they are more likely to be vulnerable. The U.S., on the other hand, has a lower risk because the average age of phones is also much lower. Therefore, fewer of them are vulnerable.”
As noted by Lookout, here are the steps you should take to protect yourself:
- If you’re running Android 4.3 or older, upgrade! Later Android versions are not susceptible.
- If you have a phone that does not have the option to update to a newer Android OS version, unfortunately you may need to upgrade your device to a newer, more readily patched version.
- Download the Chrome or Firefox browser. This is both a more modern and more feature-rich browser that is not affected by the vulnerability.
- Make the Chrome or Firefox browser your default for opening links – that way you don’t have to worry about apps using a vulnerable browser.
Here are instructions on how to install the Chrome browser on your Android device*:
- Go to Google Play and download the Chrome or Firefox app
- Install the Chome or Firefox app like you would any other application from Google Play
- Go to your settings
- Go to the “apps menu” or the “application manager”
- View “all apps” in the app menu
- Select the AOSP browser (on most phones this will likely be called “Internet”)
- Tap “clear default”
- The next time you click on a URL, your phone will ask you which application it should open with. Make sure to select the new browser you recently downloaded, and check the “always” box so it remembers your choice for next time.