14 DAY TRIAL // Security researchers from IBM have identified vulnerabilities in the Android browser which allow rogue apps to execute malicious javascript code in the context of a targeted website.
By default, Android applications are sandboxed. This ensures, for example, that a malicious app cannot access the session cookies or history of the browser and send them back to its creator.
However, application can send requests to one another. These are called intents and are limited by the operating system and the permissions apps were granted on installation.
One intent that many apps can perform is to tell the browser to open an URL. This is similar to what happens on Windows when a user clicks on a link in a separate application.
The IBM researchers have discovered two attack vectors that can be exploited to break the Android app sandbox and execute rogue javascript code in the context of a targeted domain.
The first is to force the browser to open the maximum allowed number of tabs. An app can tell the browser to open an URL n number of times until the max tab limit is reached. Then, on the n+1th time it can instruct it to open a javascript:// URI.
Because the browser can't open a new tab it will load the javascript code in the last one, which already contains the targeted domain.
The second attack vector exploits the interval of time the Android browser needs to process intents properly. If two intents are sent in a short enough interval of time, the browser will execute them in the same tab. The first intent can be to open the targeted domain and the second can be to execute rogue javascript.
"By exploiting this vulnerability a malicious, non-privileged application may inject JavaScript code into the context of any domain; therefore, this vulnerability has the same implications as global XSS, albeit from an installed application rather than another website.
"Additionally, an application may install itself as a service, in order to inject JavaScript code from time to time into the currently opened tab, thus completely intercepting the user's browsing experience," the researchers note in their report. [pdf]