Check Point Research said it has found a design flaw in Android’s Sandbox that allows external storage to be used as an avenue for cyberattacks.
Those attacks could result in undesired outcomes, such as silent installation of unrequested, potentially malicious, apps to the user’s phone. They could be used for denial of service for legitimate apps. They could even cause applications to crash, opening the door to potential code injection that could then run in the privileged context of the attacked application.
These “Man-in-the-Disk” attacks are made possible when applications are careless about their use of shared storage that does not enjoy the Android sandbox protection, and fail to employ security precautions on their own, Check Point said. Researcher Slava Makkaveev talked about the research at the Defcon hacker event in Las Vegas today.
Within the Android operating system, there are two types of storage: internal storage, which each application uses separately and is segregated by the Android Sandbox; and external storage, often over an SD card or a logical partition within the device’s storage, which is shared by all applications.
External storage is primarily used to share files between applications. For example, in order for a messaging app to send a photo from one person to another, the application needs to have access to the media files held in the external storage.
There are other reasons why an app developer would choose to use the external storage rather than the sandboxed internal one. Such reasons range from a lack of sufficient capacity in the internal storage, backwards compatibility considerations with older devices or not wanting the app to appear to use too much space, to just mere laziness on the developer’s part.
Whatever the reason may be, when using the external storage, certain precautions are necessary. Google’s Android documentation says that application developers are advised on how they should use the external storage in their apps. Some of these guidelines include doing validation tests, not storing executable files on external storage, and making sure files are signed and cryptographically verified before loading.
“However, we have seen a few examples where Google and other Android vendors do not follow these guidelines,” Check Point said. “And herein lies the Man-in-the-Disk attack surface, offering an opportunity to attack any app that carelessly holds data in the external storage.”
In such attacks, an app is downloaded, updated, or receives data from a server. It is passed through external storage and then sent to the app itself.
Attackers can enter and meddle with data stored on the external storage. Using an innocent looking app downloaded by the user, the attacker is able to monitor data transferred between any other app and the external storage, and overwrite it with other data.
Upon downloading the attacker’s ‘innocent looking’ app, the user would be asked to allow the app permission to access the external storage, something which is perfectly normal for apps to request. The attacker’s malicious code would then start monitoring the external storage and all data held there.
In this way, the attacker has a “Man-in-the-Disk” looking out for ways to intercept traffic and information required by the user’s other existing apps to manipulate them or cause them to crash.
The results of the attacks can vary, depending on the attacker’s desire and expertise. Check Point demonstrated the ability to install an undesired application in the background, without the user’s permission. It could also crash an app and inject code to hijack the permissions granted to the attacked application. Then it could escalate privileges and gain access to other parts of the user’s device, such as the camera, the microphone, his contacts list and so forth.
Among the applications which were tested for this new attack surface were Google Translate, Yandex Translate, Google Voice Typing, LG Application Manager, LG World, Google Text-to-Speech and Xiaomi Browser.
In the case of Google Translate, Yandex Translate and Google Voice Typing, the developers had ignored a guideline listed above which meant certain files required by the apps could be compromised by the attack, resulting in the crash of the application. LG Application Manager and LG World fell short of heeding the second guideline listed above, rendering them vulnerable to an attacker potentially downloading alternative unrequested apps installed through them.
And finally, Google Text-to-Speech and Xiaomi Browser allowed for the Man-in-the-Disk to take root and resulted in overwriting their APK files.
“While it is clear that these design shortcomings leave Android users potentially vulnerable to cyber threats, what is less clear is who is really at fault and where the responsibility lies in fixing them,” Check Point said. “On the one hand, although Android’s developers have created guidelines to app developers on how to ensure their apps are safe, they must also be aware that it is well known for developers to not build their applications with security front of mind. On the other hand, and being aware of this foresaid knowledge, is there more Android could be doing to protect their operating system and the devices that use it?”