Security Analysis of commonly used Android Browsers

Here is a quick Security Review of the most commonly used Android Web Browsers. All the APKs are collected from Google Play store.
The security analysis was done with the help of an Automated Mobile Security Framework which was internally developed. During the analysis I even found a Web Browser app which
comes with a Trojan and is having about 54,805 users in Play Store. Check the report for more fun.

The list is sorted based on the no of users for a particular Web Browser app. Go through the report and see how secure your favourite Android Browser is.

Browser Name & Package Users Exported Activities Exported Services Exported Broadcast Receivers Exported Content Providers Allow Backup JavaScript Interface Insecure SSL Implementation WebView ignore SSL error Remote WebView Debugging Security Score* Detailed Report

Opera Mini

com.opera.mini.android
3,852,911 0 0 2 1 Yes Yes No No No 87 Show

UC Browser

com.UCMobile.intl
2,501,605 1 0 1 1 Yes No No No No 92 Show

Google Chrome

com.android.chrome
2,439,122 2 1 1 4 No No No No No 96 Show

Dolphin Browser

mobi.mgeek.TunnyBrowser
2,048,521 0 0 1 1 Yes No Yes No No 88 Show

Mozilla Firefox

org.mozilla.firefox
1,461,432 102 1 1 0 Yes No No No No 90 Show

Opera Browser

com.opera.browser
1,068,538 0 0 1 0 Yes No No No No 94 Show

CM Browser

com.ksmobile.cb
987,293 0 0 2 0 Yes No No No No 93 Show

Baidu Browser

com.baidu.browser.inter
735,695 0 1 2 0 Yes No No Yes No 87 Show

UC Browser Mini

com.uc.browser.en
571,671 0 0 1 0 Yes No No Yes No 89 Show

Maxthon Web Browser

com.mx.browser
227,026 0 0 1 0 No Yes Yes Yes No 84 Show

Yandex Browser

com.yandex.browser
190,487 0 0 1 0 Yes No Yes No No 89 Show

Next Browser

com.jiubang.browser
169,672 5 3 1 0 Yes Yes No No No 86 Show

ONE Browser

com.tencent.ibibo.mtt
82,366 0 0 0 1 Yes No No Yes No 89 Show

Boat Browser

com.boatbrowser.free
75,618 0 1 1 1 Yes Yes No Yes No 82 Show

Bonibon Web Browser

bonibon.ses.yukle
64,669 0 0 1 0 Yes No No No Yes 89 Show

Web Browser & Explorer [TROJAN Detected]

com.explore.web.browser
54,805 0 0 0 0 Yes No No Yes No 0 Show

FlashFox -Flash Browser

mobi.browser.flashfox
43,619 102 1 1 0 Yes No No No No 90 Show

Ninesky Browser

com.ninesky.browser
39,061 0 0 1 0 Yes Yes No No No 89 Show

Web Browser

explore.web.browser
16,760 0 0 0 0 Yes No No Yes No 90 Show

Javelin Browser

com.nubelacorp.javelin
15,610 0 0 0 0 Yes No No Yes No 90 Show

Web Browser & Web Explorer

net.fast.web.browser
12,512 0 0 0 0 Yes No No Yes No 90 Show

Web Browser

tools.browser.webbrowser
9,420 0 0 0 0 Yes No No Yes No 90 Show

InBrowser

nu.tommie.inbrowser
8,425 0 0 0 0 Yes No No No No 95 Show

Sleipnir Mobile - Web Browser

jp.co.fenrir.android.sleipnir
7,377 0 0 0 0 Yes Yes No Yes No 85 Show

Lightning Browser

acr.browser.barebones
6,231 0 0 0 0 Yes No No Yes No 90 Show

Mercury Browser

com.ilegendsoft.mercury
6,129 0 0 0 0 Yes No No Yes No 90 Show

Habit Browser

jp.ddo.pigsty.HabitBrowser
5,797 0 0 0 0 Yes No No Yes Yes 85 Show

Exsoul Browser

com.exsoul
4,462 0 0 0 0 Yes Yes No No No 90 Show

Web Browser & Fast

browser.explore.fast.secure
3,133 0 0 0 0 Yes No No Yes No 90 Show

Atlas Web Browser

com.jelly_browser
2,774 0 0 0 0 Yes No No No No 95 Show

Jelly Web Browser

com.jelly_browser
790 0 0 0 0 Yes Yes No No No 90 Show

Cloud Browser

com.granitamalta.cloudbrowser
478 0 0 0 0 Yes No No Yes No 90 Show

Pale Moon Web Browser

org.palemoon.android
359 0 0 1 0 Yes No Yes No No 89 Show

Vulnerabilities Categorized

Exported Activities: Displays the no of Exposed Activities. Exposed Activities are shared with other apps on the device. It accessible to any other application on the device.

Exported Services: Displays the no of Exposed Services. Exposed Services are shared with other apps on the device. It accessible to any other application on the device.

Exported Broadcast Receivers: Displays the no of Exposed Broadcast Receivers. Exposed Broadcast Receivers are shared with other apps on the device. It accessible to any other application on the device.

Exported Content Provider: Displays the no of Exposed Content Provider. Exposed Content Provider are shared with other apps on the device. It accessible to any other application on the device.

Allow Backup: Anyone can backup your application data via adb. It allows users who have enabled USB debugging to copy application data off the device.

JavaScript Interface: JavaScript Interface was identified. Insecure WebView Implementation. Execution of user controlled code in WebView is a critical Security Hole.

Insecure SSL Implementation: Trusting all the certificates or accepting self signed certificates is a critical Security Hole.

WebView ignore SSL error: Insecure WebView Implementation. WebView ignores SSL Certificate Errors.

Remote WebView Debugging: Remote WebView debugging is enabled.

How Scoring Works

* Security Scoring is formulated by the following algorithm.

Allow Backup = 5
JavaScript Interface = 5
Insecure SSL = 5
WebView ignore SSL = 5
Remote WebView Debug = 5
Exposed =Activities + Services + Broadcast Receivers + Content Providers

if (Exposed == 0)
Exposed Components = 0
if (Exposed ==1)
Exposed Components = 1
if (Exposed ==2)
Exposed Components = 2
if (Exposed is between 3 & 6)
Exposed Components = 3
if (Exposed is between 7 & 10)
Exposed Components = 4
if (Exposed > 10)
Exposed Components = 5

Security Score = 100 - ( Allow Backup + JavaScript Interface + Insecure SSL + WebView ignore SSL + Remote WebView Debug + Exposed)

Conclusion

This analysis is compiled by Ajin Abraham and is vendor neutral.
The top three secure Web Browsers for Android devices according to the scores as of December 25th 2014 are.

1. Google Chrome - 96/100
2. InBrowser - 95/100, Atlas Web Browser - 95/100,
3. Opera Browser - 94/100

Powered by OpenSecurity