Google Chrome adds site isolation security measures to Android

Joanna Estrada
October 20, 2019

One of the most widely used browsers, Google Chrome has been updated to version 77, which finally introduces 'Site Isolation' on Android and delivers improvements to further protect sensitive data from being stolen on its desktop counterpart. So mobile devices must have at least 2GB of RAM to use Site Isolation, and even then, the defense is only activated when visiting websites with a login mechanism and only for 99 per cent of Chrome for Android users - 1 per cent of devices are excluded to provide a monitoring and performance baseline.

On these devices, Chrome 77 will spin any site that a users visits and enters a password into its own process.

The news was confirmed yesterday by Google, which added that not all Android-powered devices will be able to take advantage of the new feature just yet.

Google says that it is working on optimizing Site Isolation so that it won't eat up more memory.

"When Site Isolation is enabled, each renderer process contains documents from at most one site".

If you're not familiar with Site Isolation, it's a feature that was introduced with Google Chrome 67 a year ago to prevent malicious sites from stealing passwords, cookies, and additional data from open browser tabs.

Resources labelled with a Cross-Origin-Resource-Policy header are also protected.

Performance considerations prompted Google not to enable the technology by default, a setting users can optionally override in order to enable full site isolation. While Chrome on the desktop does this all of the time, offering this on an Android phone would be too taxing to the handset (especially those on the low-end of the smartphone spectrum).

"Our initial launch targeted Spectre-like attacks which could leak any data from a given renderer process", Google engineers said in a blog post. The bug might allow them to run arbitrary native code within the sandboxed renderer process, no longer constrained by the security checks in Blink.

Network data: Site Isolation uses Cross-Origin Read Blocking to filter sensitive resource types (e.g., HTML, XML, JSON, PDF) from a process, even if that process tries to lie to Chrome's network stack about its origin. This makes it far more hard for attackers to steal cross-site data.

Cookies and passwords can only be accessed by processes of the corresponding site.

Render processes may only access stored data based on the process' site lock. And if you want in on the ground floor of new ideas, you can install the Chrome Canary app. Google warns that this is an unstable version of the browser and is suggested for developers and advanced users only. The "affected Chrome user population" that had extensions with exceptions installed has been brought down from 14% to 2%. Those who enable full site isolation in Android may notice the same overhead as on the desktop. Mozilla started to test Site Isolation in Firefox 70. And the Chrome browser is among the worst when it comes to this type of behavior.

On Thursday this week, the Chocolate Factory said it has activated the security mechanism in the Android version of Chrome 77, which debuted last month.

Other reports by Click Lancashire

Discuss This Article