Security researchers have recently found a vulnerability that could be used to hijack Android apps and devices, but an older issue that can have the same effect remains a significant threat nearly two years after its discovery, according to security firm Bromium.
A large number of applications and advertising frameworks embedded into applications use WebView to display Web content loaded from remote servers — for example, ads. The problem is that many of these apps don't load the WebView content over an encrypted HTTPS (HTTP Secure) connection.
"The futex vulnerability for instance (CVE-2014-3153) affects every Linux kernel version currently used by Android and was recently used to successfully root the Galaxy S5 for the first time," the Bromium security researchers said in a blog post Thursday.
"In order to be compatible with the widest number of devices, apps and ad frameworks are often built against the lowest possible API version," the Bromium researchers said. "The upshot is that an app can be vulnerable even when running on a fully patched Android device running 4.2, 4.3 or 4.4."
Sign up for Computerworld eNewsletters.