Utilizing the device profile, attackers could design a campaign to exploit any vulnerabilities in a targeted manner.
Google has released a partial fix for an Android issue that dates back to 2015, after initially rejecting the bug report because the mobile operating system was “functioning as intended.”
The issue, which still lacks a CVE designation despite having been partially resolved, relates to how Android uses Google’s Chrome browser. Chrome is the default browser for Android devices, and it also enables the WebView and Custom Tabs APIs, which allow applications to render web content without launching a separate browser window. Chrome and applications that use the associated APIs leak information about the hardware model, firmware version, and security patch level of the device on which they are running, according to Nightwatch Cybersecurity.
“This information can be used to track users and fingerprint devices,” researcher Yakov Shafranovich of Nightwatch wrote in a blog post last week. To target exploits, it can also be used to determine which vulnerabilities a particular device is susceptible to.
According to Nightwatch, which discovered the issue three years ago, Chrome includes a variety of HTTP headers whenever it sends a request to a web server for a page’s content.
According to the company, the User-Agent header is problematic because it contains the Android version number and builds tag information; the latter identifies both the device name and its firmware build.
“For many devices, this information can be used to identify not only the device itself, but also the carrier on which it is running and, by extension, the country,” Shafranovich explained. “It can also be used to determine the device’s security patch level and the vulnerabilities it is susceptible to.”
The User-Agent header is widely accessible and is frequently employed by web servers to help determine the scope of reported interoperability issues, to circumvent or customize responses to circumvent particular user-agent limitations, and for analytics regarding browser or operating system use.
Thus, an attacker can easily set up a malicious website as a watering hole (or drive traffic there via spam and social engineering) and craft a campaign that exploits any vulnerabilities in a targeted manner by using information gathered from visiting devices.
After a new bug report was filed earlier in the year, Google partially resolved the issue with the release of Chrome v70, but Nightwatch didn’t publish an overview of the issue until after the holidays.
“The fix conceals the firmware data while preserving the hardware model identifier… Shafranovich noted that the device’s model number remains unchanged. According to Google’s explanation, the fix only applies to the Chrome application itself and not to the WebView implementation used by application developers. “‘Does not apply the change required by the Android Compatibility Definition Document to Android Web View.'”
According to Nightwatch, users should upgrade to version 70 or later, and app developers should take care to manually override the User Agent configuration in WebView-using applications.
“While many are hesitant to do [the latter] for fear of losing compatibility, we recommend using the default user agent and removing the build and model information from it,” the researcher said.
