Monday, August 13, 2018

Even Google’s own developers don’t necessarily follow Android Security guidelines.” So, we have a new "Man in the Disk" Attack - Which allows a bad actor to hijack the communications between privileged apps and the device disk, bypassing sandbox protections to gain access to app functions and potentially wreak havoc


“Some of the apps in question are made by Google themselves,” said Gan. “So even Google’s own developers don’t necessarily follow Android guidelines.”

Android’s OS makes use of two types of storage – internal storage which provides every app with its own sandbox; and an external storage mechanism that uses a removable SD card. This latter storage is shared across the OS, because it’s designed to enable apps to transfer data from one app to another. So, if a user takes a picture and then wants to send it to someone using a messaging app, the external storage is the platform that allows this to happen.


Google provides developer guidelines meant to provide a road map for security best practices. These include advice such as never writing critical data files to the external storage, and not using it to store executables or files that impact the way apps operate. Also, external storage files should be signed and cryptographically verified prior to dynamic loading,

In fact, roughly half of the Android apps in Google Play that Check Point examined did not comply with the guidelines. The firm examined Google Translate, Yandex Translate, Google Voice Typing, Google Text-to-Speech and Xiaomi Browser, among others.



https://threatpost.com/def-con-2018-man-in-the-disk-attack-surface-affects-all-android-phones/134993/

No comments:

Post a Comment