Google has issued a partial fix for an Android issue dating back to 2015 – after originally rejecting the bug report on the grounds of the mobile OS “working as intended.”
The issue – which still doesn’t have a CVE designation despite being partially addressed as a problem – has to do with how Android uses Google’s Chrome browser. Chrome is the default browser for Android devices, and it also enables the WebView and Custom Tabs APIs, which let applications render web content within the apps themselves without opening a separate browser window. According to Nightwatch Cybersecurity, Chrome and applications that use the associated APIs leak information about the hardware model, firmware version and security patch level of the device on which they are running.
“This information can be used for track users and fingerprint devices,” said Nightwatch researcher Yakov Shafranovich, in a post last week. “It can also be used to determine which vulnerabilities a particular device is vulnerable to in order to target exploits.”
According to Nightwatch, which discovered the problem three years ago, whenever Chrome sends a request out to a web server for a page’s content, it includes a range of HTTP headers.
The User-Agent header in particular is problematic, according to the firm, because it includes the Android version number and build tag information; the latter identifies both the device name and its firmware build.
“For many devices, this can be used to identify not only the device itself, but also the carrier on which it is running and from that the country,” explained Shafranovich. “It can also be used to determine which security patch level is on the device and which vulnerabilities the device is vulnerable to.”
The User-Agent header is widely accessible and is often used by web servers to help identify the scope of reported interoperability problems, to work around or tailor responses to avoid particular user-agent limitations, and for analytics regarding browser or operating system use.
Thus, an attacker can simply set up a malicious web site as a watering hole (or could drive traffic there via spam and social engineering), and craft a campaign that makes use of the intel coming from visiting devices in order to exploit any vulnerabilities in a targeted fashion.
Google partially fixed the issue with the release of Chrome v70, after a new bug report was filed earlier in the year, but the problem overview wasn’t published by Nightwatch until after Christmas.
“The fix hides the firmware information while retaining the hardware model identifier … The device model number remains,” said Shafranovich. He added, “The fix only applies to the Chrome application itself, and not to the WebView implementation used by application developers as per the following explanation [from Google]: ‘Does not apply the change to Android Web View as mandated by the Android Compatibility Definition Document.’”
Users should upgrade to version 70 or later, and to fix applications that contain WebView usage, app developers should take care to manually override the User Agent configuration in their apps, according to Nightwatch.
“While many are reluctant to do [the latter out of fear of losing] compatibility, we would like to suggest the approach of using the default user agent and erasing the build and model information in it,” the researcher noted.