Man-in-the-Disk Attack Lets Hackers Bypass Android App Sandbox Security

Researchers have devised a new attack technique that takes advantage of how apps use the external storage of Android devices to store files to bypass security restrictions.

Under the Android security model each application runs inside a sandbox, which means other applications can’t access to its internal files and secrets. However, apps also can store and load files from the so-called external storage, which is typically an SD memory card or a logical partition and is used as a shared space by most apps.

The external storage is often used to store pictures, videos and documents, but researchers from Check Point Software Technologies have found that some apps, including from large OEMs and even Google, also use the external storage for transient files that they download from the internet or generate themselves, and which they then dynamically read and load into their memory.

This behavior poses a significant security risk and the researchers presented how it can be abused at the DEF CON hackers conference on Sunday.

Any code loaded by an application executes in its context and inherits the permissions of that application, which means it has access to its sandbox and internal data. This is why the Android security guidelines advise application developers to perform input validation when handling data from external storage; to not store executables or class files on External Storage; and to only dynamically load such files if they are signed and cryptographically verified.

“Through our research analysis we have witnessed cases where an app was downloaded, updated or received data from the app provider’s server, which passed through the External Storage before being sent on to the app itself […],” the Check Point researchers said in a blog post. “Such practice offers an opportunity for an adversary to manipulate the data held in the External Storage before the app reads it again.”

To pull off such an attack, hackers would have to trick users into installing an innocent-looking Android app that requests access to external storage, which is quite common. After that, the rogue app can start monitoring the files created by other apps on external storage and can modify or replace them with malicious code before those apps read them again.

The result of the attack can vary depending on attackers’ expertise, the Android apps they choose to target and how those apps use files stored on external storage.

“Our research demonstrated the ability to install an undesired application in the background, without the user’s permission,” the Check Point researchers said. “We have also demonstrated the ability to crash the attacked application, causing it a denial of service. Once crashed and with the app’s defenses down, the attacker could then potentially carry out a code injection to hijack the permissions granted to the attacked application and escalate his own privileges in order to access other parts of the user’s device, such as the camera, the microphone, contacts list and so forth.”

Protecting against this attack would require developers to follow the Android guidelines and stop using external storage in an insecure way. However, since developers cannot be trusted to do the right thing, the Check Point researchers argue that Google should build defenses against this attack vector directly in the operating system itself.

Fax Protocol Vulnerabilities Could Expose Entire Networks to Attacks

In a separate presentation at DEF CON, researchers from Check Point unveiled critical vulnerabilities in the fax protocol used by all-in-one office devices that combine printer, fax and photocopier functionality.

The researchers worked with HP and the manufacturer recently released patches for dozens of its business inkjet printers and multifunction devices with fax capabilities. However, the Check Point researchers warn that devices from other vendors and even fax-to-email applications are likely affected as well, because the issues are in the protocol itself.

Even worse, the attack, which has been dubbed Faxploit, bypasses traditional network defenses because it is executed over phone lines rather than Ethernet. It’s also easy to pull off because it only requires attackers to send malformed files to a target’s fax number.

If it also acts as a printer, it’s very likely that the device that handles fax communications is also connected to the internal LAN. Therefore, using Faxploit to compromise a fax device provides attackers with a foothold inside local networks and the ability to perform lateral movement to attack other types of computing devices.

The attackers could also use the exploit to steal documents from the machine, redirect all faxes back to them and even tamper with the contents of faxed documents.

“While the use of fax machines has in general radically subsided over the last 15 years, due to the rise of email and other electronic communication applications, it is still very much the norm for many industries who consider it a more secure or legally binding form of doing business,” the researchers said in a blog post. “In addition, the presence of fax machines in both the home and work place is still very much prevalent, regardless of how often they are actually used.”

Featured eBook
451 Research: Securing Open Source

451 Research: Securing Open Source

In this report, we look at how the boom in OSS adoption has also led to an increase in awareness of open source risks, from licensing issues to security – and the measures required to protect organizations against those risks. We examine two incidents in particular – the Heartbleed vulnerability and the 2017 Equifax data ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 282 posts and counting.See all posts by lucian-constantin