Chrome on Android Exposes Fingerprinting Information

Utilizing the device profile, attackers could design a campaign to exploit any vulnerabilities in a targeted manner.

Google has released a partial fix for an Android issue that dates back to 2015, after initially rejecting the bug report because the mobile operating system was “functioning as intended.”

The issue, which still lacks a CVE designation despite having been partially resolved, relates to how Android uses Google’s Chrome browser. Chrome is the default browser for Android devices, and it also enables the WebView and Custom Tabs APIs, which allow applications to render web content without launching a separate browser window. Chrome and applications that use the associated APIs leak information about the hardware model, firmware version, and security patch level of the device on which they are running, according to Nightwatch Cybersecurity.

“This information can be used to track users and fingerprint devices,” researcher Yakov Shafranovich of Nightwatch wrote in a blog post last week. To target exploits, it can also be used to determine which vulnerabilities a particular device is susceptible to.

According to Nightwatch, which discovered the issue three years ago, Chrome includes a variety of HTTP headers whenever it sends a request to a web server for a page’s content.

According to the company, the User-Agent header is problematic because it contains the Android version number and builds tag information; the latter identifies both the device name and its firmware build.

“For many devices, this information can be used to identify not only the device itself, but also the carrier on which it is running and, by extension, the country,” Shafranovich explained. “It can also be used to determine the device’s security patch level and the vulnerabilities it is susceptible to.”

The User-Agent header is widely accessible and is frequently employed by web servers to help determine the scope of reported interoperability issues, to circumvent or customize responses to circumvent particular user-agent limitations, and for analytics regarding browser or operating system use.

Thus, an attacker can easily set up a malicious website as a watering hole (or drive traffic there via spam and social engineering) and craft a campaign that exploits any vulnerabilities in a targeted manner by using information gathered from visiting devices.

After a new bug report was filed earlier in the year, Google partially resolved the issue with the release of Chrome v70, but Nightwatch didn’t publish an overview of the issue until after the holidays.

“The fix conceals the firmware data while preserving the hardware model identifier… Shafranovich noted that the device’s model number remains unchanged. According to Google’s explanation, the fix only applies to the Chrome application itself and not to the WebView implementation used by application developers. “‘Does not apply the change required by the Android Compatibility Definition Document to Android Web View.'”

According to Nightwatch, users should upgrade to version 70 or later, and app developers should take care to manually override the User Agent configuration in WebView-using applications.

“While many are hesitant to do [the latter] for fear of losing compatibility, we recommend using the default user agent and removing the build and model information from it,” the researcher said.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
WordPress Vulnerabilities Up 30 Percent in 2018

January 9, 2019

Despite fewer plugins being added to WordPress in 2017, the CMS platform experienced an increase in vulnerabilities in 2018. UPDATE In 2018, vulnerabilities in the popular content management system (CMS) WordPress increased by 30 percent, according to new research on…

Dark Web Markets Evolve During the Third Quarter

January 1, 2019

In Q3 the Dark Web is characterized by vulnerabilities, stolen credentials, and the evolution of marketplaces. McAfee’s Q3 analysis reveals that after Hansa and AlphaBay were shut down on the Dark Web, Dream Markets and Wall Street Market became the…

Get more info

Deals

Reviews

Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer

BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

 

Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.