{"id":13088,"date":"2018-08-13T10:45:08","date_gmt":"2018-08-13T18:45:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/08\/13\/news-6855\/"},"modified":"2018-08-13T10:45:08","modified_gmt":"2018-08-13T18:45:08","slug":"news-6855","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/08\/13\/news-6855\/","title":{"rendered":"A Clever Android Hack Takes Advantage of Sloppy Storage"},"content":{"rendered":"

<\/p>\n

Credit to Author: Brian Barrett| Date: Sun, 12 Aug 2018 20:00:00 +0000<\/strong><\/p>\n

An Android app <\/span>has two choices for where to put its data on a device: internal storage, where it\u2019s safe and snug, isolated by the operating system\u2019s sandbox, and external storage, where data can move between apps but isn't as protected. Most of the time, that setup works just fine. But when developers use the latter incorrectly, they could give hackers<\/a> a crucial foothold.<\/p>\n

That\u2019s the focus of new research<\/a> from Check Point security researcher Slava Makkaveev, who will present his findings at the DefCon security conference Sunday. By stashing the wrong things in external storage, an app can expose an Android phone to a host of potential attacks, including secret installation of malware, shutting down legitimate apps, and even potentially gaining control of a smartphone\u2019s camera or microphone.<\/p>\n

\u201cThis is an attack surface that hasn\u2019t been well documented or addressed until now. Developers everywhere should be more careful in the way they\u2019re using external storage,\u201d says Check Point head of threat prevention Orli Gan. She adds that the majority of applications Check Point analyzed appear susceptible to this kind of attack.<\/p>\n

That prevalence makes some sense in context; a developer\u2019s ability to save what they want to external storage is a feature, not a bug. And for lots of use cases, it's a logical choice. When you want to send someone a photo, for instance, your camera app will write it to external storage, so that your messaging app can grab it. No harm in that.<\/p>\n

Meanwhile, anything in internal storage gets essentially cordoned off thanks to Android\u2019s sandboxing, preventing other apps from snooping on it. But sometimes developers use external storage when they really shouldn\u2019t. Maybe they ran out of space, maybe they copy and pasted bad code from somewhere, maybe they\u2019re lazy, but things like configuration files or code for their next update end up out in the open.<\/p>\n

Check Point\u2019s so-called man-in-the-disk attack plays out from there. A hacker would first need to get someone to install an innocuous-looking app<\/a>\u2014a limiting factor, but not insurmountable\u2014and get them to grant the routine \u201cExternal Storage\u201d permission. Once in place, the malicious download would then opportunistically monitor everything other apps on the device are holding in external storage.<\/p>\n

\u201cThey\u2019re able to replace, or augment, or manipulate the content of this storage in such a way that would cause them to gain privileges on the app that\u2019s poorly written,\u201d says Gan.<\/p>\n

'Developers everywhere should be more careful in the way they\u2019re using external storage.<\/p>\n

Orli Gan, Check Point<\/p>\n

Google does offer guidelines to developers urging them not to put sensitive code on external storage. But not only did Check Point find that many apps don\u2019t follow that advice, Google itself isn\u2019t immune from man-in-the-disk. The researchers found that sloppy external storage usage by Google Translate, installed on more than 500 million devices, meant that they could compromise certain files required by the app, and crash it. Google has since patched the issue, but it still provides an illustration of how wrong things can go.<\/p>\n

\u201cGoogle Translate on my phone has access to Google Camera,\u201d says Gan. \u201cIf I\u2019m able to crash that code, and from there I\u2019m able to inject my code, it will now run in the privileges of Google Translate. Therefore it will have access to my camera, and I never allowed this application to have access to my camera.\u201d<\/p>\n

The researchers found another concerning form of vulnerability in LG Application Manager and LG World. Because of how they were using external storage, the apps could have been compromised to act as conduits for silently installing unwanted apps. LG did not respond to a request for comment.<\/p>\n

"The issues they have outlined do not affect the Android operating system itself, but rather, third party code and applications on devices," said a Google spokesperson. "Together with Check Point, we have reached out to affected Android partners to address these issues."<\/p>\n

At the very least, man-in-the-disk shows how operating system architecture can have unintended consequences. The permissive nature of external storage dates back to when there wasn\u2019t much room on actual devices, necessitating SD cards to make up the difference. Now, when developers use it irresponsibly, they expose their users to potential attack. And unless Google decides to make fundamental changes to how Android handles storage\u2014which would also potentially make some interactions with your phone more frustrating\u2014that seems unlikely to change.<\/p>\n

"Expecting every developer in the world out there to understand the security of what they\u2019re developing is unrealistic,\u201d says Gan. \u201cGuidelines are great. Developers are also great. But they don\u2019t necessarily go hand in hand.\u201d<\/p>\n

It seems like every time you turn around there's a new breach of personal information. Follow these steps to minimize the damage.<\/p>\n

https:\/\/www.wired.com\/category\/security\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Brian Barrett| Date: Sun, 12 Aug 2018 20:00:00 +0000<\/strong><\/p>\n

The so-called man in the disk attack uses Android’s permissive external storage to wreak havoc on devices.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10607],"tags":[714],"class_list":["post-13088","post","type-post","status-publish","format-standard","hentry","category-security","category-wired","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13088","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13088"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13088\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13088"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}