Slow. Antiquated. Android.
Remember the old Android device you used to use? Many of us have old versions of these devices sitting around that worked well 5 or 6 years ago, but are, unfortunately, too slow or outdated to use today. The hardware is lethargic and the Android OS hasn’t been patched for years. This is never more evident than when you try using a web browser on one of these devices and watch it struggle while rendering an element-rich site. The fact is, older devices simply don’t have sufficient CPU power to quickly display a complex page, even those designed to be responsive or mobile friendly.
There are a staggering number of these older devices still in circulation. In fact, one third of all devices connecting to the Google Play store are running Android 5.1 (Lollipop) or older.1 Not to mention countries where cheap (underpowered) Android devices are commonplace. Even when users run Android 6.0 or newer, the devices still don’t perform well, since many have slow CPUs and limited storage.
Enter a browser app called UC Mini, which speeds up web browsing on these old/slow devices. They claim to have a large user base, with over 50% market share in India and Indonesia. They even have “Secure” listed in the title.
Here’s the feature we’re interested in that makes it compelling to use on slower devices:
- Fast Browsing – Faster browsing mode for time and data usage saving.
This sounds great, even for newer mobile devices. UC Mini employs a feature called “Speed Mode” that overcomes the CPU constraints of slow devices. It uses a proxy to render webpages on a remote server, then delivers the rendered image to the user’s device, offloading processing load from the device. Users can now use their low-spec devices without worrying how slow it is. This is similar to the old Opera mini browser.
Here is a UC Mini user agent. It tells us a something about the device, app version, android version, and that it’s using speedmode:
“UCWEB/2.0 (Java; U; MIDP-2.0; Nokia203/20.37) U2/1.0.0 UCMini/18.104.22.1681 (SpeedMode; Proxy; Android 5.0.2; Mi_4i ) U2/1.0.0 Mobile”>Android V 5.0.2, Android V 5.0.2″
Convenience Without Privacy.
At the highest level, good web security means that you have a secure connection between the server and the client. As a web application owner, the end-user sees what you want them to and nobody along the path has the ability to view or interfere with the session. If there is a proxy in the path, however, it needs to have, at a minimum, strong security controls.
Should we trust a free proxy app that renders images on remote servers somewhere without any documented security controls? There are a few concerns:
- We don’t know if the UCWeb proxy servers are currently compromised, but we do know that they have been in the past (wikileaks).
- The app also injects in-line adds. Website operators care about what content is being served, so that control is lost as well since we don’t know what is being injected.
At Threat X, we assign additional entity risk to requests originating from proxy browsers. We did this initially to capture bots and scripts, and to help assign risk ranking. While our customers can’t ensure the security of their end-users, they don’t want confidential data to be intercepted and possibly exfiltrated.
From a user’s standpoint, the UC Browser has appeal when the alternative is being unable to access a site. But privacy is forfeited and there is a real security risk of session hijacking or compromised credentials. It’s a give and take, and ultimately, your organization needs to determine whether accessibility or security is the greater priority.
*** This is a Security Bloggers Network syndicated blog from Threat X Blog authored by Aaron Fosdick. Read the original post at: https://blog.threatxlabs.com/using-android-proxy-browsers-convenience-without-web-application-security