Vulnerabilities within Android mobile browsers, Dolphin and Mercury, have been identified. Benjamin Watson, Mobile & Application Security Practice Lead at GuidePoint Security, has discovered these vulnerabilities. “I have been researching common vulnerability patterns in Android Web Browsers since the beginning of 2015. Since the beginning of my research efforts, I have found that quite a few of the most popular browsers available on Google Play are subject to these vulnerability patterns,” Watson explained. GuidePoint Security will continue to meticulously research vulnerability patterns in Android and iOS applications, as well as provide robust mobile security testing to customers to help prevent the consequences of a potential glitch.

lobotomy graphic

The flaws found within each respective application are different. Mobotap’s Dolphin Browser is customizable, allowing users to choose unique search bars or themes; it’s been found that the download and installation of a theme can result in exploitation or potentially full blown code execution. The Mercury browser was found to be susceptible to the arbitrary reading and writing of files in the browser’s data directory. While the teams at both Dolphin and Mercury have been made aware of the vulnerabilities and Dolphin has released an update, there’s an onus on the mobile security world to respond to the implications of having identified vulnerabilities in such commonly used browsers.

Mobile applications available today are often designed to solve some sort of user problem, but most have not been properly assessed for security issues, usually due to the aggressive quick-to-market philosophy used in the world of mobile application development. GuidePoint Security is investing continuous effort in researching mobile security and how potential vulnerabilities impact consumers at large. “We’re continuing to investigate Android web browsers and other largely consumed applications for vulnerabilities,” Watson said.

It’s imperative for organizations working on the development of mobile applications to understand the importance of testing. As made clear by Watson’s findings, common Android browsers and other applications used universally routinely have serious security vulnerabilities due to the lack of security input during their development lifecycle. GuidePoint is not only researching the implications of common vulnerability patterns in largely consumed Android and iOS mobile applications, but also offers services that help identify these problems before those applications are pushed to market.

Benjamin Watson, Mobile & Application Security Practice Lead – Ben Watson has over 7 dedicated years to application and mobile security. Prior to joining GuidePoint Security, Ben has solved application problems for cutting-edge companies in the financial services, ecommerce and medical industries. Ben has been frequently sought after for building application security programs from the ground up, due to his experience in not only developing testing methodologies, tools and techniques, but his understanding and perspective on what is required to build secure products. Ben has managed and lead efforts in large mobile application security managed services and is also an experienced mobile security researcher. He currently focuses his efforts around discovering new exploitable vulnerability patterns in Android and iOS. He also has multiple published zero day vulnerabilities effecting various Android web browsers, and is the creator and curator of an Android assessment toolkit called Lobotomy.

About GuidePoint Security
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.