Menu Bar

  • Home
  • Blog
  • About
  • Language
  • Privacy Policy


Sep 17, 2015

Android Browser Same Origin Policy Bypass Security Vulnerability (CVE-2014-6041)

A severe security vulnerability in the Android AOSP browser has been disclosed: http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html

The Psiphon team has determined that the built-in browser ("browser-only mode") in our Psiphon app is affected, on Android versions 3.0 to 4.3, through its use of Android AOSP browser via the WebView component. There is no known mitigation for this security vulnerability other than to disable JavaScript in our built-in browser WebView components.

We are releasing Psiphon for Android version 62 which will disable JavaScript in the built-in browser on these versions of Android. We plan to leave this restriction in place until a less disruptive, effective mitigation becomes available; or the Android AOSP browser becomes widely patched.