Gmail app hacked with 92 percent success rate
Researchers from the University of California Riverside's Bourns College of Engineering have identified a weakness in Android which allows personal data to be obtained from apps.
Tested against seven popular apps the method was between 82 and 92 percent successful on six of them, only Amazon with a 48 percent success rate proved more difficult to crack. Most vulnerable were Gmail and H&R Block at 92 percent, followed by Newegg (86 percent), WebMD (85 percent), CHASE Bank (83 percent) and Hotels.com (83 percent).
Although demonstrated on Android the researchers believe their method will work on iOS and Windows devices too because they share a key feature exploited in the Android system.
The attack works by getting a user to download a seemingly benign app, such as one to display background wallpaper on a phone. Once the malicious app is installed, the researchers can exploit a newly discovered public side channel, the shared memory statistics of a process, which can be accessed without any privileges.
Shared memory is an operating system feature commonly used to allow apps to share data. By monitoring changes that take place in it researchers are able to correlate them to what they call an "activity transition event," which includes such things as a user logging on to Gmail.
"The assumption has always been that these apps can't interfere with each other easily," Zhiyun Qian of the Computer Science and Engineering Department at UC Riverside says. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user".
The attack needs careful timing in order to work. "By design, Android allows apps to be preempted or hijacked," Qian says. "But the thing is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique".
The Amazon app proved harder to attack because it allows one activity to transition to almost any other activity, making it more difficult to guess which activity the user is currently in.
Users can protect themselves by not installing untrusted apps, but in the longer term researchers say the operating system needs to be changed to better regulate side channels.
The full research paper is due to be presented at today's USENIX Security Symposium in San Diego. It's available to read online and there are some short videos demonstrating how the attack method works.