US researchers have discovered a flaw which may exist across Android, Windows, and iOS operating systems, and could allow popular services such as Gmail to become compromised.
Security experts from the University of California Riverside Bourns College of Engineering and the University of Michigan identified a weakness believed to exist in all of the above operating systems, which could allow a cyberattacker to steal sensitive data through malicious applications.
The weakness was tested through an Android smartphone, but the researchers claim the method could be used across all of the platforms — as each OS shares a similar feature: the ability for applications to access a mobile device’s shared memory. However, no tests have yet been conducted on other systems.
The attack works through a user downloading a seemingly harmless application, such as background wallpaper. Once installed, the researchers were able to exploit a newly discovered public side channel, the shared memory of a process, which can be accessed without permissions or app privileges.
Changes within the shared memory are then monitored, and these changes are correlated with what the team calls an “activity transition event.” In other words, when a user is actively using an app, for example, to log into Gmail or take a picture of a cheque so it can be deposited online via Chase Bank, activity changes are noted.
There are two stages to this attack: firstly, the attack needs to take place in real time, such as the moment when the user is logging into Gmail. Secondly, the hack needs to be done so it is undetectable by the user — which can be achieved through good timing.
The method used to exploit the flaw was successful “between 82 percent and 92 percent of the time” on six of the seven apps tested. Among the applications that were successfully infiltrated were Gmail, Chase Bank and H&R Block.
Attacks on Gmail were successful 92 percent of the time, as were attacks on H&R Block. Attacks placed on Chase, Newegg, WebMD and Hotels.com apps were successful 83 percent, 86 percent, 85 percent and 83 percent of the time respectively.
The only app that was difficult to penetrate was Amazon, with a 48 percent success rate. The reason Amazon is more difficult to crack is that the app allows one activity to transition to another activity seamlessly, making timed attacks less likely to succeed and activities more difficult to predict.
Zhiyun Qian, an associate professor at UC Riverside commented:
“By design, Android allows apps to be preempted or hijacked. But the thing is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique.”
Qian suggests that users “don’t install untrusted apps,” and for developers, the researcher says that a more careful tradeoff between security and functionality needs to be set in stone.
The paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks,” (.PDF) will be presented 22 Aug at the USENIX Security Symposium in San Diego. A video of one of the attacks in action is below.