Security firm reports that external storage can be used to hijack Android apps
Many users have additional storage on their smartphones, usually in the form of an SD card, where they store photos, music and other bulkier files. Some apps use that external storage for system files as well, despite being outside of Android’s native security protocols. The Android Sandbox protection is meant to prevent tampering with the files of each app, but it only covers the internal storage of a device.
The software security company Check Point released a report about a vulnerability in the way some apps are using the external storage that can be exploited to gain access to their permissions or even install malware.
External storage is sort of a free-for-all space and files stored there can be accessed by multiple apps. Because of that, Google has posted guidelines for developers using external storage for their apps, suggesting a few safety rules like encrypting files or validating any non-encrypted files before using them.
The attack can be performed if the user installs an app that can look harmless but has malicious code in it. The app would require access to the external storage, which is common, and most people allow. The malware app then modifies the files of the targeted app and the next time it uses the files, it’s accessing the modified ones. What the modified files do depends on what the attacker’s goal is, but it can be anything from simply crashing the app to changing permissions and extracting user information from within the app.
If an app is using the external storage to save update files, the malware can access and change them so that while updating, the compromised app is actually installing a completely separate app that the user doesn’t want.
After the problem was found, the company contacted Google and it has since fixed the vulnerability on its own software. However, Check Point could only test a limited number of apps, so many more are potentially still open to that exploit. Users are advised to double check the credibility of the apps they are installing.
source: Check Point via Engadget
External storage is sort of a free-for-all space and files stored there can be accessed by multiple apps. Because of that, Google has posted guidelines for developers using external storage for their apps, suggesting a few safety rules like encrypting files or validating any non-encrypted files before using them.
According to the report, despite Google having these guidelines, even some of its own apps weren’t adhering to them and were vulnerable to the so called “Man-in-the-Disk" attack. The best-known ones are Google Translate, Google Voice Typing and Google Text-to-Speech.
The attack can be performed if the user installs an app that can look harmless but has malicious code in it. The app would require access to the external storage, which is common, and most people allow. The malware app then modifies the files of the targeted app and the next time it uses the files, it’s accessing the modified ones. What the modified files do depends on what the attacker’s goal is, but it can be anything from simply crashing the app to changing permissions and extracting user information from within the app.
If an app is using the external storage to save update files, the malware can access and change them so that while updating, the compromised app is actually installing a completely separate app that the user doesn’t want.
source: Check Point via Engadget
Things that are NOT allowed: