New Man-in-the-Disk attack leaves millions of Android phones vulnerable by Swati Khandelwal.
From the post:
…
Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize ‘External Storage’ system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.…
Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android’s built-in sandbox, to store their sensitive files or data.
However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.
…
Khandelwal cites Man-in-the-Disk: A New Attack Surface for Android Apps, which provides this quick summary of the attack:
…
As the details of this attack may seem complex, let us recap the general outline and ramifications of these shortcomings of Android:
- An Android device’s External Storage is a public area which can be observed or modified by any other application on the same device.
- Android does not provide built-in protections for the data held in the External Storage. It only offers developers guidelines on proper use of this resource.
- Developers anywhere are not always versed in the need for security and the potential risks, nor do they always follow guidelines.
- Some of the pre-installed and popularly used apps ignore the Android guidelines and hold sensitive data in the unprotected External Storage.
- This can lead to a Man-in-the-Disk attack, resulting in the manipulation and/or abuse of unprotected sensitive data.
- Modification to the data can lead to unwelcome results on the user’s device.
…
Vulnerability pattern: Privileged execution of non-validated data.
Does anyone have a chart of the privileges required by Android apps using External Storage? That would help triage which apps to investigate first.
(Leaving to one side the deliberate creation of an app with high privileges with a plan to later update from External Storage.)