Fast-Forward: Browser Security

min read

The following is a guest post by Chris Markman, Academic Technology Specialist at Clark University, where he presses the "fast-forward button" on Hacker Conference videos to give you a summary of the talk in a condensed format, with direct links to resources mentioned in the talk. New posts are available each month in the Security Matters blog column.


"Bypassing Browser Security Policies for Fun and Profit" is a short 26-minute presentation from the 2016 Black Hat Asia conference held in Singapore in late March and early April this year. Rafay Baloch (@rafaybaloch), a security researcher and author who earned his place in the PayPal bug bounty hall of fame in 2012, presented this session. (To answer your question, yes, PayPal paid him through PayPal.) The accompanying slides and white paper for Rafay's talk are available on the conference website.

I wanted to highlight this talk because it could have been renamed "reasons to not use most browsers on Android," but maybe it was a covert reference to the article "Smashing the Stack for Fun and Profit" from Phrack magazine 20 years ago. Either way, the description on the Black Hat website mentions a comparison of protection mechanisms in mobile device browsers versus desktop browsers, but Rafay's main focus is Android OS and his reasons for doing this are highlighted about 3 minutes into the talk

If you want to jump ahead to the prerecorded demo, it begins at 9:48. The minutes leading up to this are an explanation of the same origin security policy found in all popular desktop browsers, and "top tier" mobile browsers. At 14:08 we also get an overview of what he calls cross-scheme data exposure (which thankfully only affects the stock Android browser prior to version 4.4).

Minute 22 is where things get interesting from a high-level perspective, and we're reminded of the never-ending fragmentation and patch management issues facing Android and the security implications of this ecosystem. Coincidentally, the Google for Work channel on YouTube released a video, "Android Security to the Nth Degree," as I was writing this post. I haven't had a chance to watch it yet, but I have a feeling they might gloss over the fact that older Android smartphones (not a small fraction, especially for low-cost devices), as Rafay points out, are left in the dust. Planned obsolescence? Or planned insecurity?

Chris Markman has been blogging about technology since 2008, first as a volunteer for the Participatory Culture Foundation and later as an MSLIS student at Simmons College and MSIT student at Clark University. Prior to joining the Academic Technology Services team at Clark University in 2014, he managed a film and music library in the Visual and Performing Arts department. Markman is a member of the New England Archivists professional group and several artist collectives in the city of Worcester, Massachusetts.

© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.