Testing the web interface of my own STS-PiLot remote control software with Chromium for Android running on my FP2 gave me a great surprise this morning:
Once a webpage with Javascript is opened in Chromium, the Javascript keeps running, even with Chromium pushed into the background (through starting another app for example). The only thing that stopped the script running was to remove Chromium from the “recent apps” list that you get when you touch the right (square) button on your phone.
This is potentially dangerous. One could for example write a simple javascript that just hogs bandwidth and mobile data users are in for a surprise when they get their next bill.
I do not know if Chrome behaves in the same way as Chromium. I am using FP OpenOS and installed Chromium via the “Auto Updater for Chromium” you get on F-Droid. I would be careful and use other browsers like “Lightning” or “Ice Cat Mobile” that do not show this insecure behaviour.
Thank you for letting us know 
- That attack is not dangerous. No data will be deleted or leaked. The phone will not be damaged. No (or only little) money will be lost.
- That attack would not make any profit for the attacker, so there is no motivation for any profit-oriented hacker to do that.
- If someone wants to make a high data usage, this can also be done in the foreground with almost every browser. Auto-starting videos are a big data consumer and can’t be mitigated by disabling background data (see next point).
- Background data usage can be restricted/disabled (for every browser) via the data usage monitor. So the mobile data is only used when the browser is actually shown on the screen.
- Inside the data usage monitor, you can actually stop the mobile data usage after a certain limit is reached (in the rare case you pay per MB).
So, in my opinion, there is no reason to change the browser because of that.
The data usage was just an example, but there is more that one can do with HTML5 and javascript: I just tested with the free videoconferencing system appear.in
While the video stream stops once Chromium is in the background, it keeps streaming your microphone. So simply clicking (or better touching) Chromium away will not get you out of the conference room and if you oversee the little camera icon in the top bar you are bugged.
So for me this is still a security issue.
Chromium builds are buggish because they are developer builds, not stable in any way.
I prefer Firefox for everything, and any other over Chrome, but… check twice, please, 
I do not know if that’s intended. In that case, you can still talk to your partners when you are in another app.
I think it is only a minor security issue. You have “the little camera icon” and the browser asks you before the website can access your camera/microphone.
Chromium for Android doesn’t auto-update, so be positive that you are using a recent build.
You can download builds directly from the Chromium team here.
Alternatively, you can use getChromium, a free and open source app that installs and updates Chromium’s latest build from the Chromium team’s repository.
*I made getChromium so that everyone can use Chromium for Android.
This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.