Researchers at University of California Riverside and the University of Michigan have found a flaw in Android that allows apps to be hijacked and they believe the flaw can be used to attack iOS and Windows mobile apps in the same way.
The flaw involves the fact that apps share memory space despite sandboxing, the practice designed to isolate apps from one another to avoid the problems inherent with shared memory.
Though apps on mobile devices have been designed to run code in their own sandboxes, they generally rely on a common graphic interface framework called a window manager that operates in shared memory space. The window manager is responsible for rendering graphic interface elements on the user's mobile device screen.
In a paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks," to be presented on Friday at the USENIX Security Symposium in San Diego, Calif., Qi Alfred Chen and Z. Morley Mao, from the University of Michigan, and Zhiyun Qian, from the University of California Riverside, describe how they exploited the flaw.
[Read about California's pending smartphone law: California Nears Smartphone Kill Switch.]
The attack requires a malicious app to be downloaded and to be running in the background on an Android device. The malicious app is designed to be inconspicuous, with low energy overhead and minimal permissions. Its job is to monitor the window manager memory space and infer what other apps are doing.
By watching how other apps deploy graphic elements on screen, the malicious app can understand what's going on in those apps and then inject precisely timed fake interface elements, like a login screen, to intercept login credentials or otherwise dupe the user. This technique is commonly known as a man-in-the-middle attack.
The researchers tested seven Android apps -- Amazon, Chase, Gmail, H&R Block, Hotel.com, Newegg, and WebMD -- and were able to accurately infer the interface state of the target app between 82% and 92% of the time, with the exception of Amazon's app.
Although the attack worked on Gmail 92% of the time, it fared less well with the Amazon app, working only 48% of the time. The researchers attributed this to the unpredictability of Amazon's highly variable interface and to the app's extensive use of cached data, which denied data to the malicious app.
Zhiyun Qian, an associate professor at University of California Riverside, said in an email that although he and his colleagues did not evaluate gaming apps, he suspected many would not be vulnerable to the attack. "My guess is that those apps may not be affected as they may use lower-layer graphics APIs for performance reasons," he said in an email.
The attack technique can also be used to obtain sensitive image files through what the researchers call a "camera peeking attack." Certain apps store image files only in memory because the images contain sensitive data -- such as an app that lets users photograph a check and then deposit it electronically. By monitoring interface elements, the malicious app can watch for camera usage and take a photo of its own immediately afterward without the user's knowledge, thereby obtaining a nearly identical image.
The researchers propose several ways to mitigate the flaw, such as limiting access to certain proc files (which contain information about important system processes), tightening interface animation systems to prevent stealthy replacement of genuine interface elements with fake ones, and limiting the functions available to background apps so they can't, for example, secretly take pictures.
Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)