Mobile // Mobile Applications
News
8/23/2014
09:06 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
100%
0%

Android Flaw Might Also Affect iOS, Windows

Sandboxing flaw let researchers hijack Gmail 92% of the time, and could also affect iOS and Windows.

3D Mapping Data's Future: 8 Examples
3D Mapping Data's Future: 8 Examples
(Click image for larger view and slideshow.)

Researchers at University of California Riverside and the University of Michigan have found a flaw in Android that allows apps to be hijacked and they believe the flaw can be used to attack iOS and Windows mobile apps in the same way.

The flaw involves the fact that apps share memory space despite sandboxing, the practice designed to isolate apps from one another to avoid the problems inherent with shared memory.

Though apps on mobile devices have been designed to run code in their own sandboxes, they generally rely on a common graphic interface framework called a window manager that operates in shared memory space. The window manager is responsible for rendering graphic interface elements on the user's mobile device screen.

In a paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks," to be presented on Friday at the USENIX Security Symposium in San Diego, Calif., Qi Alfred Chen and Z. Morley Mao, from the University of Michigan, and Zhiyun Qian, from the University of California Riverside, describe how they exploited the flaw.

[Read about California's pending smartphone law: California Nears Smartphone Kill Switch.]

The attack requires a malicious app to be downloaded and to be running in the background on an Android device. The malicious app is designed to be inconspicuous, with low energy overhead and minimal permissions. Its job is to monitor the window manager memory space and infer what other apps are doing.

By watching how other apps deploy graphic elements on screen, the malicious app can understand what's going on in those apps and then inject precisely timed fake interface elements, like a login screen, to intercept login credentials or otherwise dupe the user. This technique is commonly known as a man-in-the-middle attack.

The researchers tested seven Android apps -- Amazon, Chase, Gmail, H&R Block, Hotel.com, Newegg, and WebMD -- and were able to accurately infer the interface state of the target app between 82% and 92% of the time, with the exception of Amazon's app.

Although the attack worked on Gmail 92% of the time, it fared less well with the Amazon app, working only 48% of the time. The researchers attributed this to the unpredictability of Amazon's highly variable interface and to the app's extensive use of cached data, which denied data to the malicious app.

Zhiyun Qian, an associate professor at University of California Riverside, said in an email that although he and his colleagues did not evaluate gaming apps, he suspected many would not be vulnerable to the attack. "My guess is that those apps may not be affected as they may use lower-layer graphics APIs for performance reasons," he said in an email.

The attack technique can also be used to obtain sensitive image files through what the researchers call a "camera peeking attack." Certain apps store image files only in memory because the images contain sensitive data -- such as an app that lets users photograph a check and then deposit it electronically. By monitoring interface elements, the malicious app can watch for camera usage and take a photo of its own immediately afterward without the user's knowledge, thereby obtaining a nearly identical image.

The researchers propose several ways to mitigate the flaw, such as limiting access to certain proc files (which contain information about important system processes), tightening interface animation systems to prevent stealthy replacement of genuine interface elements with fake ones, and limiting the functions available to background apps so they can't, for example, secretly take pictures.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
8/25/2014 | 2:34:25 PM
Re: Interesting (and scary!)
That is right. If there are going to be security checks from the website, there shouldn't be malicious apps tracking user sensitive data (required as login to those websites) to put to use. I think it's time developers made a meeting about such attacks and see if they could change the architecture that supports the regular checkup system in android.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
8/25/2014 | 12:55:05 PM
Re: Defining criteria for apps
Google has already moved to address this with more granular permissions in Android. Given that the technique discussed requires a malicious app to already be installed on the target device, publication of this research isn't likely to change the security situation very much. But clearly the OS vendors need to take a look at this.
eamonwalsh80
50%
50%
eamonwalsh80,
User Rank: Strategist
8/25/2014 | 11:19:23 AM
Interesting (and scary!)
Given that I use both GMail and Amazon apps, I was suitably impressed by the study as well as scared. Personal information in mobile devices is a given these days. The sophistication for Google was the fact that they didn't cache your data at client end so you had to go through their server security checkpoint every single time. But that becomes a vulnerability with a background 'man in the middle' app sniffing around now. By contrast Amazon becomes far more unpredictable to shadow like that. A look at the modern enterprise security report from HP gives more clue (bit.ly/1l8KNdv). Good share!
PedroGonzales
50%
50%
PedroGonzales,
User Rank: Ninja
8/25/2014 | 9:56:39 AM
Re: Defining criteria for apps
I agree. It not worth it to download apps if most of them do not offer proper security.  Specially now that people carry a lot of their personal information on their smartphones.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
8/25/2014 | 7:28:11 AM
Re: Defining criteria for apps
It makes me wonder if we'll see fewer developers taking the kitchen sink approach to applications.  I see so many apps that want access to half the features of my phone which typically means I don't install it.  Maybe we will get leaner apps with a little more thought put into security and walling off functions.
PedroGonzales
50%
50%
PedroGonzales,
User Rank: Ninja
8/24/2014 | 1:34:37 PM
Re: Defining criteria for apps
I think this is an interesting finding by the university.  The impact of such flaw is huge.  I agree that future developers will be able to take this into consideration as they improve the security of their future applications.  Such information is available only to a small group of individuals specially in academia.  Making this information available to the public in the end benefits developers rather than cause harm.
WaqasAltaf
50%
50%
WaqasAltaf,
User Rank: Ninja
8/24/2014 | 12:33:29 AM
Defining criteria for apps
Thomas, negatives apart, this research will not only help developers of apps to ensure that their apps are secure but also help OS developers to define criteria which must be met if the apps are to be deployed. Must be of more interest to Android as they don't deploy much screening over apps allowed to be installed.
WaqasAltaf
50%
50%
WaqasAltaf,
User Rank: Ninja
8/24/2014 | 12:28:56 AM
Revealing it to hackers
Thomas, the research is impressive but disclosing such weaknesses in public may invite many hackers looking for an idea and now they have it. I think Android, iOS and Windows will not be excited at the university researchers disclosing these facts in conferences followed by masses. 
<<   <   Page 2 / 2
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest Septermber 14, 2014
It doesn't matter whether your e-commerce D-Day is Black Friday, tax day, or some random Thursday when a post goes viral. Your websites need to be ready.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.