Researchers show how apps using external storage in Android open users up to attack.
At Def Con 2018, Check Point researchers revealed details of a flaw in Android devices that could allow external storage to be leveraged for cyberattacks.
Dubbed ‘man in the disk’, the attack exploits how Android devices use external storage to store app-related data. If tampered with, this could result in a code injection in the privileged context of the target app.
How does Android storage work?
Android device apps can store their resources on internal and external storage. External storage often takes the form of an SD card or a partition within the storage of the device.
External storage is used to share files between apps. Messaging apps need access to media files held in external storage to send an image from one user to another.
Google advises developers to use internal storage. This is essentially an isolated space allocated to each app to store sensitive files or data. The internal storage is protected using Android’s built-in sandbox.
Some developers still opt to use external storage because the internal storage sometimes lacks the required capacity. Other developers would also rather their apps not appear to take up too much space, while others are simply careless. If you are using the external storage, validation tests and ensuring that files are signed and cryptographically verified is important.
Check Point said some vendors are not following these guidelines. “And herein lies the man-in-the-disk attack surface, offering an opportunity to attack any app that carelessly holds data in the external storage.”
Many popular Android apps pose a risk
The Check Point researchers discovered that many popular apps – such as Google Translate, the Xiaomi web browser and Google Voice Typing – were using external storage, which is not protected and can be accessed by any app installed on the same Android device.
This issue could result in stealthy installation of potentially malicious apps, denial of service for legitimate apps and other negative consequences.
The researchers said: “On the one hand, although Android’s developers have created guidelines to app developers on how to ensure their apps are safe, they must also be aware that it is well known for developers to not build their applications with security front of mind.
“On the other hand, and being aware of this aforesaid knowledge, is there more Android could be doing to protect their operating system and the devices that use it?”
Another mobile device flaw
Meanwhile, researchers funded by the US Department of Homeland Security found major flaws in numerous smartphone models. Presenting the report at Black Hat, Kryptowire researchers found that vulnerabilities were built into devices before customers even purchase the phone. Manufacturers have been notified since February.
Francis Dinha, CEO of OpenVPN, told Siliconrepublic.com: “Although we don’t know the full details of these loopholes just yet, the best way to protect yourself from any vulnerability is to use a VPN with anti-malware capability.
“Hackers have to have access to your phone in some way if they’re going to exploit a vulnerability, so don’t give them that access. Use a credible VPN service, especially when you’re on public Wi-Fi, and always verify links before you click on them. Be vigilant with your data; if you’re flippant with security, it’s only a matter of time before hackers will take full advantage of this opportunity.”
Smartphone with Google Play logo on screen. Image: Lutsenko_Oleksandr/Shutterstock