How to face security Issues on Android 4.2

Apparently the UXSS bug is not a threat for the Fairphone:

PS: I checked this in Firefox mobile 36, but not in the default browser.

Indeed, using Firefox is safe. But that doesn’t mean your phone and other apps are. Firefox does not use the WebView component and was never affected. Try to run the test with the default android browser.

I’m blocking the Internet access of the default browser with AFWall+, and I don’t want to unblock it. I believe you that it’s affected. I’m pretty sure, some other apps I use are too… If someone could find a way to disable webview generally…

Has nothing to do with security, does it?

The default browser is vulnerable according to my check with the linked test page. I immediately switched to Firefox, and see the hoped-for longevity of my FP go down the drain…

Once I cannot rely on security issues be fixed, I eventually have to replace my device. It’s like holes in a barrel: If you don’t fix them properly, you are eventually running out of hands to seal them, and then you run out of beer, and THEN you are in trouble…

Hello,

If this is the case We will fix it. Webview is a different beast because of the lack of existing patches. At the time of Towelroot we tested the device and found it not vunerable.

2 Likes

Thanks, that’s good to hear. To be honest I only “tested” my phone using this tool, so it may as well be that their detection method for Towelroot is flawed.
Will you also fix the newer CVE-2014-7911?

Hello we will look at integrating the changes and will look at towelroot again.
http://seclists.org/fulldisclosure/2014/Nov/51

2 Likes

There’s an old Swedish saying: ‘It’s easy to say “Tulip Rose”, but hard to make one’.
Let’s face it. What makes the internet a wonderful invention is also what makes life on the web vulnerable.
If you want to be able to do everything, everywhere, at any time, you are vulnerable. If you want to make use of any app ever found in Google Play Store (or maybe downloaded from an obscure website), if you want to be constantly updated through various RSS feeds, if you find it essential to get real time updates from a plethora of communities such as Facebook…
…then you are vulnerable.
You can never get a 100 % guarantee that security patches will reach your phone (and install themselves) in time to block each and every potential threat. (Incidentally, enabling for automatic updates of each and every app you installed will probably cause you more trouble and more security risks than if you update manually with afterthought).
You’ll have to make a choice. Either you put safety first. For one reason or another, you have to handle sensitive inormation using your phone. Then you’d better get a Blackberry. Create a profile (e-mail address and so forth) that you never, never, never link to facebook or instagram or reddit or whatever. And connect to the internet only when you really need a connection, and only through encrypted networks. Then use a second phone for leisure activitites. And if you must do banking stuff on your phone, make sure that your bank offers a reasonable level of security, e.g. using a card reader that generates 1-time login and signature codes. Not even these are 100 % safe, though.
Or you acknowledge that the internet is risky. You use your phone with reasonable prudence, but you also realise that sh*t happens. It’s a tedious toil having to create new accounts and passwords replacing the compromised ones, just as it’s tedious having to replace bank cards, driving license &c when your wallet gets lost. But it’s part of life.
Or you get a tinfoil hat and a few carrier pigeons.
Please note before replying: I’m not saying that security patches and updates are unimportant or superfluous. And I’m grateful to the FP developers doing their best to patch the biggest holes. All I’m trying to say is that even if we live in the best of worlds it is far from perfect. The great thing about being human is that we can develop strategies for handling this lack of perfection, which in my humble opinion is a wiser strategy than hoping to achieve perfection

4 Likes

Sh#t doesn’t ‘happen’; it needs a as*hole to be produced :smile:

Actually the production of feces initiates more cranially in the gastrointestinal tract than in the canalis analis, but I think we’re getting off topic here…

3 Likes

There is a way to disable the Android Browser and it is quite easy. You only need adb installed on your PC. I followed this guide http://android.stackexchange.com/questions/56620/enable-and-disable-system-apps-via-adb. I will see how it works and if i encouter any serious side effects. If not i will update here with a short guide how to do it and what happens. See you soon.

5 Likes

A week i go i shared this great guide from StackExchange on how to disable System Apps via Adb (Android Debug Bridge).
With this method you can easily disable the build in browser. You need a PC with Linux, Mac or Windows and with Android Debug Bridge installed (on Ubuntu simply run sudo apt-get install android-tools-adb) and set allow developer remote access to your fairphone (Settings -> Developer Settings).

Open a Terminal (Hit Super (Ubuntu) or CMD+Space (Mac), then type Terminal on Ubuntu) (or Cmd Prompt on Windows).

  1. Open the ADB shell by typing adb shell (You are now working on the device)
  2. Gain super user rights with su.
  3. Use the build in package manager to disable the browser: pm disable com.android.browser
  4. Leave the ADB shell with: exit

Use your Fairphone and see that Browser has magically disappeared from your Apps. And the best think is: If you ever need it again, you can replace “disable” in step 3 with “enable” and the browser is back!

If been using my Fairphone without the Android Browser since week with no problems at all.

Source

6 Likes

Hi,

I wounder if this affects the WebView Component of Android. As far as I understood it is based on the default browser and was replaced with Android 4.4, too.

Have you noticed some changing at Apps? For example that they couldn’t display there “changes” texts anymore or something like this?

regards,
Shiny

No, it does not affect the WebView (at least if it did i did not notice it). That is good because apps requiring the WebView component still work and bad because they are still affected by the security issues.
So this is more of a cosmetic fix, which prevents you to use the insecure Browser out of convenience or habit. A use case i would think of is giving the Fairphone to not so tech-savy people who do not want to think about which browser to use for example.

2 Likes

I have followed your tutorial and yes the “native” browser disappears. However, apps, like gReader still use the webKit component. Therefor, you should still check every app you use, if it uses webkit. Or install a firewall.

1 Like

Actually I followed your “how to” and ended up with a dysfunctional PTP and USB storage function. Therefore, it is not advisable to use your fix. Furthermore, your soluton only hides the old browser. The problem is, however, the unpatched webkit component. Fairphone should upgrade the OS to Android 4.4 or 5, because many applications use the webkit component. This includes gReader and almost any app using “in app”-advertisment.

I am not sure PTP and USB storage are in anyway related to disabling the Browser. I have been using (not PTP) but USB and MTP storage regularly since applying and had none issues with them.

You are right that the WebKit component is still available. There is no easy fix for that as far i know. It is also no alternative to a proper fix, but i figured for me, it is better then nothing.

Actually, I wondered myself and in general it makes no sense. However, I can reproduce the error by disabling com.android.browser and “fix” it by enabling it again. Im am not sure why this is happening (therefore I lack necessary information on the internal architacture), but it is reproducable. When I am back from conference I might give MTP a try and disable the browser again :wink:

1 Like

@Shiny (and other XPrivacy users): can XPrivacy be used for solving the WebView issue? Or will an app be able to activate WebView even if one blocks the app’s own internet privileges?
My reason for asking: I have a Solitaire app installed and since I can’t see any reason why this app should have access to the internet, I’ve set my firewall to block it. Nevetheless, if i run the app while connected to the internet, ads are displayed. My guess is that the app uses WebView for this, and that WebView still have access to the internet even if the app itself is firewalled. And my guess is that this goes for a number of other apps as well
Would XPrivacy be a more efficient way to block access, or would the result be the same, meaning that WebView can never be disabled, not even partially?

It’s a bit odd, really: considering that Android is UNIX-based and the FP is rooted, it ought to be possible to disable WebView simply by commenting out a line somewhere…