A major security flaw Google classified as a “high-priority” issue threatened all users of Android devices running 4.4 KitKat and older versions of the mobile operating system. Discovered by Positive Technologies researcher Sergey Toshin, the vulnerability affected WebView, an Android component designed to issue permissions for displaying web pages to apps.
Its existence made Android Instant Apps a threat, allowing potential attackers to intercept a broad range of unencrypted information originating from targeted smartphones and tablets.
Instant threats
The newly reported flaw existed within Chromium, hence threatening every browser based on Google’s open-source engine. Besides Chrome itself, Samsung Internet and Yandex are also based on Chromium and have millions of users globally. The origin of the vulnerability means it threatened devices since late October of 2013 when Android 4.4 KitKat debuted until this January when Google released a stable variant of Chrome build 72.0.3626.81 which contains a fix for the security flaw.
The vulnerability was tied to the core function of Instant Apps which prompts Android devices to download a small file via a Chromium browser. That file is what an Instant App actually is; i.e. it’s not that the platform is a download-free solution but that it reduces the size of the required download by a massive degree, hence almost completely eliminating initialization time.
The file in question is special in the sense that it’s always deleted after an Instant App is closed, yet it’s precisely the period before that closure wherein the vulnerability existed for almost four and a half years, making malicious Instant Apps “extremely dangerous,” as described by Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies.
During the vulnerable period, a malicious Instant App was able to access all WebView contents, hence being an attack avenue that could have potentially allowed hackers to steal critical information such as social security numbers and credit card information. Browser history, headers, and authentication tokens were exposed and available for stealing by the type of WebView access wrongly allowed to Instant Apps due to the flaw, among other sensitive information.
Be thankful nobody cares about Instant Apps
Originally announced at the Google I/O 2016, developer conference, Instant Apps were devised as a way for consumers to quickly try out basic functionalities of eligible apps without having to download them. In practice, the service would launch stripped-down versions of such apps directly from the Google Play Store.
Due to the number of steps standing between opening the digital storefront and launching an Instant App, it’s obvious Google never intended the feature as a long-term alternative to actually downloading and installing apps locally but more of a try-before-you-download solution.
The service has yet to truly take off and hasn’t been embraced on a large scale in any particular app segment. While Google has yet to signal it’s looking to ditch the initiative, it doesn’t appear the project will be going anywhere for the time being. In essence, the fact that almost no one ever cared for Instant Apps lowers the chance that the newly reported vulnerability was ever (ab)used by hackers.
Having an up-to-date version of Chrome is enough to have this loophole closed on devices running Android 7.0 Nougat and later versions of the OS, the experts behind the original discovery confirmed. Older firmware builds handle WebView separately from Google‘s browser and should receive a patch to the former from their manufacturers.