Project

General

Profile

Webview vulnerability - Replicant affected?

Added by Daniel Kulesz about 9 years ago

If replicant ships with Webview, it might be also affected by the following vulnerability Google is refusing to fix in AOSP:

http://arstechnica.com/security/2015/01/google-wont-fix-bug-hitting-60-percent-of-android-phones/

In case Replicant is affected - will there be a patch?


Replies (22)

RE: Webview vulnerability - Replicant affected? - Added by Paul Kocialkowski about 9 years ago

Anyone is welcome to start investigating on this, I don't have the answer at this point.

RE: Webview vulnerability - Replicant affected? - Added by My Self about 9 years ago

IMHO the built-in browser of AOSP 4.2 (and so of Replicant, too) is completely broken and should be disabled.
(At the moment, there exist 11 known security vulnerabilities for the more or less deprecated WebView,
which don't will be fixed by Google, and very likely don't will be fixed by anybody else).

So you also should not use browsers which simply uses the existing WebView any longer.
One example for that, is my last open source browser alternative suggestion: "Lightning Browser"... tragically :'(

While it's really necessary to switch to another browser (with another render engine), the problem seems to be, that the typically alternative open source browsers can't run properly on Replicant for now, because they relying heavily on the proprietary, and so not available 3D acceleration binaries; aka OpenGL ES.

Two examples:

I've invested a lot of time now, trying to get Firefox and/or Chromium to work on Replicant (over configuration/parameter modifications),
but sadly I don't have a working solution for that bad situation, right now.

RE: Webview vulnerability - Replicant affected? - Added by Paul Kocialkowski about 9 years ago

Thanks for clearing this up. We could include patches for Webview if they exist, but we're still going to ship the default browser even if it has security flaws. We could add a note somewhere to make people aware that the browser we ship has known security flaws and list the other browsers that do too (Lightning for instance). The recommendations page does list some good advice for security, that would fit well there. What do you think?

RE: Webview vulnerability - Replicant affected? - Added by Daniel Kulesz about 9 years ago

I think if you ship software with known security flaws, users should be notified at least during use and not just somewhere in the docs. I would suggest a popup on the first launch of the app (or after first install of Replicant) with a wait counter and a checkbox "don't remind me again". Since other webview-apps are affected as well, I would not include it in the browser start but already on first OS start. Maybe it's possible to include it in the welcome screen somehow?

RE: Webview vulnerability - Replicant affected? - Added by Paul Kocialkowski about 9 years ago

I could include such a thing if someone is willing to work on it and provide a patch to implement that. What I'm going to do for now is to mention in on the recommendations page.

RE: Webview vulnerability - Replicant affected? - Added by robin p about 9 years ago

My Self wrote:

While it's really necessary to switch to another browser (with another render engine), the problem seems to be, that the typically alternative open source browsers can't run properly on Replicant for now, because they relying heavily on the proprietary, and so not available 3D acceleration binaries; aka OpenGL ES.

Two examples:

I've invested a lot of time now, trying to get Firefox and/or Chromium to work on Replicant (over configuration/parameter modifications),
but sadly I don't have a working solution for that bad situation, right now.

it's disappointing that mozilla, which has a rather different outlook to google, does not provide a graceful fallback experience for firefox. the requirement for an accelerated graphics device seems odd and unnecessary, surely the decision-makers are aware that android has a pile of proprietary bits which preclude fx working on proper free software distros such as replicant?

i'd like to think posting a bug on their tracker would get somewhere, but i'm doubtful.

RE: Webview vulnerability - Replicant affected? - Added by robin p about 9 years ago

robin p wrote:

it's disappointing that mozilla, which has a rather different outlook to google, does not provide a graceful fallback experience for firefox. the requirement for an accelerated graphics device seems odd and unnecessary, surely the decision-makers are aware that android has a pile of proprietary bits which preclude fx working on proper free software distros such as replicant?

i'd like to think posting a bug on their tracker would get somewhere, but i'm doubtful.

yeah, i'm about three years late:
https://bugzilla.mozilla.org/show_bug.cgi?id=778175

last touched two years ago, the outcome appears to be "block devices with no opengl from installing". so, protecting the image of mozilla and protecting the user from confusion are seen as more important than a proper bug fix.

perhaps some others want to comment on the bug, apparently the only free mobile os has a too small market share

RE: Webview vulnerability - Replicant affected? - Added by robin p about 9 years ago

I see that there is an attempt to build a FLOSS Mali driver. The Mali is in multiple phones including the Samsung galaxy s2.

http://limadriver.org/

I wonder what it would take to use this in replicant? Is it as simple as building for the correct hardware target/kernel version, copying across and modprobing?

RE: Webview vulnerability - Replicant affected? - Added by Thomas Kitchin about 9 years ago

Opera is out? I haven't tested it on my device yet. And I don't know anything about rendering engines (it uses Trident apparently).

RE: Webview vulnerability - Replicant affected? - Added by Daniel Kulesz about 9 years ago

Opera has deprecated its old "presto" engine and moved to webkit/blink in 2013:

http://thenextweb.com/insider/2013/04/04/opera-confirms-it-will-follow-google-and-ditch-webkit-for-blink-as-part-of-its-commitment-to-chromium/

So I guess if Chromium does not work in Replicant, Opera will neither do. I haven't tried myself though.

RE: Webview vulnerability - Replicant affected? - Added by My Self about 9 years ago

Probably this (non-free) browser replacements helping out in the meanwhile: http://redmine.replicant.us/boards/9/topics/8325

https://bugzilla.mozilla.org/show_bug.cgi?id=778175
perhaps some others want to comment on the bug

I will, thanks for the push.

http://limadriver.org/

Made a new push to that topic: http://redmine.replicant.us/boards/9/topics/3723?r=8331

RE: Webview vulnerability - Replicant affected? - Added by Paul Kocialkowski about 9 years ago

i'd like to think posting a bug on their tracker would get somewhere, but i'm doubtful.

I try to raise the issue every time I meet Mozilla folks and they tell me to open a bug report. However, I never managed to find the time to do it, but I'm sure it's worth doing it!

I see that there is an attempt to build a FLOSS Mali driver. The Mali is in multiple phones including the Samsung galaxy s2.
I wonder what it would take to use this in replicant? Is it as simple as building for the correct hardware target/kernel version, copying across and modprobing?

Lima is not (yet) a driver but a standalone application (limare) and it relies on the proprietary shader compiler. Hopefully, when there is a free driver ready and integrated in mesa, we can make use of it.

Opera is out? I haven't tested it on my device yet. And I don't know anything about rendering engines (it uses Trident apparently).

Perhaps that you have forgotten that Opera is proprietary software (until it changed recently). Hence, not only is it very bad for software freedom, but it could not be any use for better privacy/security.

So I guess if Chromium does not work in Replicant, Opera will neither do. I haven't tried myself though.

Is there Chromium for Android available somewhere? Last time I checked, there was no such thing in F-Droid so if it exists, it would be interesting to add it!

RE: Webview vulnerability - Replicant affected? - Added by My Self about 9 years ago

This post: http://redmine.replicant.us/boards/9/topics/8325?r=8565#message-8565 also refers to this topic here.

By the way, the latest Chromium build, I've testes does not start anymore, (and crashes like Firefox on startup).

I've opened issues with the vulnerable WebView topic an two WebView-using apps now:
https://github.com/anthonycr/Lightning-Browser/issues/193
https://github.com/manmal/hn-android/issues/143
I'm curious about the answer; if I'll get one...

RE: Webview vulnerability - Replicant affected? - Added by My Self almost 9 years ago

Here is a quick and dirty weak-ciphers-and-other-vulnerabilities-comparison of:


Click here: https://lut.im/KNJDVtyU/Nh1SHjm8 to enlarge the picture.

And additionally the apps-permissions:

Click here: https://lut.im/N8nAFAtD/ZPCxAI9S to enlarge the picture.

NOTE: *Chromium & *Fennec only works with proprietary accelerated graphics drivers installed, which is NOT RECOMMENDED.
The other browsers should work out of the box on Replicant (at the moment).

RE: Webview vulnerability - Replicant affected? - Added by Paul Kocialkowski over 8 years ago

If there is a chance to fix it, please submit a patch, otherwise, well, at least we know.

RE: Webview vulnerability - Replicant affected? - Added by My Self over 8 years ago

If there is a chance to fix it, please submit a patch, otherwise, well, at least we know.

Just wanted to put some more sugar on top, that WebView on Replicant 4.2 is a security nightmare, (caused by Google's patch politics for older Android versions).
To fix especially this new vulnerability, we have to wait, if Google or someone else will publish a patch for this, (there is nothing happened since 17/03/2015); then I could try to bring these to Replicant...

RE: Webview vulnerability - Replicant affected? - Added by Wolfgang Wiedmeyer over 8 years ago

Yet another WebView vulnerability:
https://labs.mwrinfosecurity.com/advisories/2015/08/13/sandbox-bypass-through-google-admin-webview/

Are you sure that Replicant is affected by this? I grepped through the code for the string "enterprise.cpanel" and this app is nowhere to find. I only found this: https://play.google.com/store/apps/details?id=com.google.android.apps.enterprise.cpanel
So it seems to not be included in AOSP.

Would it be possible to compile somewhere a list of Webview vulnerabilities which possibly exist in Replicant and are not yet fixed? There are a lot articles online that only spread FUD and don't even mention the actual security bug. That makes it difficult to find useful information...

RE: Webview vulnerability - Replicant affected? - Added by Wolfgang Wiedmeyer over 8 years ago

FYI I submitted another bug report to Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1208846
Unfortunately, the outcome is the same as with the others. Improving the GLES implementation in Replicant seems to be the only option. At least other apps would benefit then, too.

RE: Webview vulnerability - Replicant affected? - Added by Wolfgang Wiedmeyer over 8 years ago

My Self, you also provided a link to an exploit here: https://redmine.replicant.us/boards/9/topics/8325?r=8565#message-8565
the exploit: https://github.com/rapid7/metasploit-framework/pull/3759/files
This is actually an exploit for CVE-2014-6041: http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html
You provided the fixes for this vulnerability yourself as part of your great work in improving the security in Replicant here: https://redmine.replicant.us/boards/9/topics/6381
I also tried running this exploit in Metasploit and I could not make it work with my Replicant phone.
So I am still wondering which known Webview vulnerabilities are not yet fixed in Replicant.

RE: Webview vulnerability - Replicant affected? - Added by Tom Li over 8 years ago

I am a user that also noticed the problem, and I just found out the discussion is already here.

The biggest problem of WebView vulnerability is that, it affects ALL APPLICATIONS with embedded webpages.

If the built-in webbrowser is disabled, an application that pops up Google Ads, will still harm the security of
the system. Even if I'm carefully enough, and I don't use any proprietary app or service, an app with a "Login"
page will still open up a security hole...Overall, I consider there is no security on mobile devices...

RE: Webview vulnerability - Replicant affected? - Added by My Self over 8 years ago

Are you sure that Replicant is affected by this? I grepped through the code for the string "enterprise.cpanel" and this app is nowhere to find. I only found this: https://play.google.com/store/apps/details?id=com.google.android.apps.enterprise.cpanel
So it seems to not be included in AOSP.

No I was/am not sure. I just channeled the news, which have less details, too.
So thanks for your research!

Would it be possible to compile somewhere a list of Webview vulnerabilities which possibly exist in Replicant and are not yet fixed? There are a lot articles online that only spread FUD and don't even mention the actual security bug. That makes it difficult to find useful information...

The last time I was busy with the try to make such a list. I've found a lot of vulnerabilities, (which I'll release soon as collected-issues) but no further issues in WebView. I fear to be sure, we have to step through the 'platform/external/chromium-webview' changes http://aosp.changelog.to/ under every AOSP > 4.2.2 version and look if the single changes also could fit for the legacy WebView we have. This is a really big effort, if nobody have a better idea(?)

FYI I submitted another bug report to Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1208846
Unfortunately, the outcome is the same as with the others. Improving the GLES implementation in Replicant seems to be the only option. At least other apps would benefit then, too.

Google itself says, that we should disable SSLv3 and RC4 ciphers ASAP: https://googleonlinesecurity.blogspot.de/2015/09/disabling-sslv3-and-rc4.html
But drops (more and more) the support for legacy AOSP versions.

Probably it could be an idea to write an open letter from Replicant (and/or the FSF) to Mozilla to clarify how much a working Firefox is needed on free systems like Replicant?

My Self, you also provided a link to an exploit here: https://redmine.replicant.us/boards/9/topics/8325?r=8565#message-8565
the exploit: https://github.com/rapid7/metasploit-framework/pull/3759/files
This is actually an exploit for CVE-2014-6041: http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html
You provided the fixes for this vulnerability yourself as part of your great work in improving the security in Replicant here: https://redmine.replicant.us/boards/9/topics/6381
I also tried running this exploit in Metasploit and I could not make it work with my Replicant phone.
So I am still wondering which known Webview vulnerabilities are not yet fixed in Replicant.

Thanks for your research again!
I've also tested in this context an online UXSS-test (German): http://www.heise.de/ct/artikel/Der-Android-Test-auf-UXSS-Sicherheitsluecke-2560903.html against my Replicant installation, which says that my device is not vulnerable.

The biggest problem of WebView vulnerability is that, it affects ALL APPLICATIONS with embedded webpages.
If the built-in webbrowser is disabled, an application that pops up Google Ads, will still harm the security of
the system.

Jip, that's the case. Because of this I really appreciate the initial patchset from 'Wolfgang Wiedmeyer' (already successfully tested from my side): http://lists.osuosl.org/pipermail/replicant/Week-of-Mon-20150921/000810.html
Thanks a lot for that! (Probably you want to open an issue for that patchset?)

    (1-22/22)