Sandboxing flaw let researchers hijack Gmail 92% of the time, and could also affect iOS and Windows.

Thomas Claburn, Editor at Large, Enterprise Mobility

August 23, 2014

3 Min Read

3D Mapping Data's Future: 8 Examples

3D Mapping Data's Future: 8 Examples


3D Mapping Data's Future: 8 Examples (Click image for larger view and slideshow.)

Researchers at University of California Riverside and the University of Michigan have found a flaw in Android that allows apps to be hijacked and they believe the flaw can be used to attack iOS and Windows mobile apps in the same way.

The flaw involves the fact that apps share memory space despite sandboxing, the practice designed to isolate apps from one another to avoid the problems inherent with shared memory.

Though apps on mobile devices have been designed to run code in their own sandboxes, they generally rely on a common graphic interface framework called a window manager that operates in shared memory space. The window manager is responsible for rendering graphic interface elements on the user's mobile device screen.

In a paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks," to be presented on Friday at the USENIX Security Symposium in San Diego, Calif., Qi Alfred Chen and Z. Morley Mao, from the University of Michigan, and Zhiyun Qian, from the University of California Riverside, describe how they exploited the flaw.

[Read about California's pending smartphone law: California Nears Smartphone Kill Switch.]

The attack requires a malicious app to be downloaded and to be running in the background on an Android device. The malicious app is designed to be inconspicuous, with low energy overhead and minimal permissions. Its job is to monitor the window manager memory space and infer what other apps are doing.

By watching how other apps deploy graphic elements on screen, the malicious app can understand what's going on in those apps and then inject precisely timed fake interface elements, like a login screen, to intercept login credentials or otherwise dupe the user. This technique is commonly known as a man-in-the-middle attack.

The researchers tested seven Android apps -- Amazon, Chase, Gmail, H&R Block, Hotel.com, Newegg, and WebMD -- and were able to accurately infer the interface state of the target app between 82% and 92% of the time, with the exception of Amazon's app.

Although the attack worked on Gmail 92% of the time, it fared less well with the Amazon app, working only 48% of the time. The researchers attributed this to the unpredictability of Amazon's highly variable interface and to the app's extensive use of cached data, which denied data to the malicious app.

Zhiyun Qian, an associate professor at University of California Riverside, said in an email that although he and his colleagues did not evaluate gaming apps, he suspected many would not be vulnerable to the attack. "My guess is that those apps may not be affected as they may use lower-layer graphics APIs for performance reasons," he said in an email.

The attack technique can also be used to obtain sensitive image files through what the researchers call a "camera peeking attack." Certain apps store image files only in memory because the images contain sensitive data -- such as an app that lets users photograph a check and then deposit it electronically. By monitoring interface elements, the malicious app can watch for camera usage and take a photo of its own immediately afterward without the user's knowledge, thereby obtaining a nearly identical image.

The researchers propose several ways to mitigate the flaw, such as limiting access to certain proc files (which contain information about important system processes), tightening interface animation systems to prevent stealthy replacement of genuine interface elements with fake ones, and limiting the functions available to background apps so they can't, for example, secretly take pictures.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights