SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
17 Feb 2017

Division between work and personal data on Android breached

Researchers here at the RSA Conference demonstrated a way a hacker can bypass enterprise mobility management sandboxing tools known as Android for Work that are designed to segregate work and personal data on Android devices.

In a proof-of-concept demonstration, researchers from Skycure showed how two separate malicious apps can circumvent Android’s multiuser framework designed to secure a work profile from a personal profile on a single device.

The prerequisite of the attacks hinge on a targeted victim downloading apps in their personal profile that grants attackers heightened privileges over the device’s Accessibility Services and Notification permissions in both work and personal profiles. The Google feature, commonly known as Android for Work is referred to by Google as “work features in Android.” The EMM managed service allows businesses to secure work-related data and apps on Android devices as well as enforce OS security features such as verified boot. Victims targeted by what Skycure is calling an app-in-the-middle attack face two different types of threats.

In one proof-of-concept attack, researchers created a fictitious app called NotiMirror that offers users the ability to mirror mobile notifications to a desktop. When NotiMirror is installed, the app requests permission to take control of the device’s mobile notification features and has the ability to send all mobile notifications received by the device, including SMS messages, to a third-party server.

“Since Notifications access is a device-level permission, a malicious app in the personal profile can acquire permission to view and take actions on all notifications, including work notifications, by design. Sensitive information, such as calendar meetings, email messages and other information appears in these notifications, which are also visible to the ‘personal’ malicious app,” according to a Skycure research report written by Yair Amit, co-founder and CTO at Skycure.

In another attack scenario, demonstrated at RSA, an attacker can hijack mobile notifications related to SMS messages tied to a password reset request to gain access to enterprise resources such as Salesforce and Slack. “This presents a serious threat to the use of Android for Work as a secure sandbox for mobile work productivity, as EMM solutions have no mechanism to recognize or defend against it. The attacker may even capture two-factor authentication and administrators will not have any visibility of the theft,” wrote Amit.

A second attack involves exploiting Android’s Accessibility Service that offers audible narration of on-screen text for visually impaired users. For this proof-of-concept, Skycure created an app called StickiWiki that requests permission to monitor all content on the device’s screen. The premise of the fictitious apps is to allow users to execute a “@Wiki:” shortcut command to insert abbreviated Wikipedia entries into any Android applications such as chat or email.

Despite the fact the app is installed on the user’s personal profile, StickiWiki monitors all content viewed on the Android device. Next, when a user accesses their work profile and views protected content, an adversary can use StickiWiki to harvest all text on the screen and silently send it to a third-party server.

“This app-in-the-middle resides in the personal profile, yet is effective in stealing corporate information as the user interacts with it. The personal profile cannot be monitored or controlled from the work profile, so even if IT administrators try to enforce security on the work profile (e.g., by restricting the profile settings or allowing only whitelisted apps) it won’t be possible to detect any exposure of sensitive information that uses the Accessibility Service, as they cannot access the personal profile,” Amit wrote.

Skycure notes that Accessibility Services only permits some apps, identified via application package names, from accessing its features through a whitelisting function. In order to bypass those whitelisting restrictions Skycure said it gave the malicious app the same package name as the whitelisted legitimate apps. Skycure said it disclosed its research to Google. In response, Google noted since the app was not distributed via Google Play and required a user to overtly grant excessive permissions to the two apps, it doesn’t view it as a threat to its Android work multi-user framework, Amit said.

“The apps outlined in our research illustrate real-world exposure risks,” Amit told. “Apps that utilize the relevant Accessibility and Notification permissions are prevalent in Google Play and other sources – while most are used for good reasons,” he said. “Because of the flaws we outline in our research, they are by design endangering the most sensitive corporate data stored on Android business profiles.”

Tags:
Android information leaks Google
Source:
Threatpost
1688
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015