A flaw in Android's GUI framework let university researchers
hack
into applications with up to 92 percent success rate.
They tested apps from Gmail, H&R Block , Newegg, WebMD ,
Chase
Bank, Hotels.com and Amazon.
"Changes in the shared memory side channel allow an
attacker to
infer if there is an activity transition going on in the
foreground,"
researcher Zhiyun Qian, an assistant professor at the
University of
California at Riverside, told LinuxInsider.
"This is a design choice by modern OSes ... . The same
attack may
work as well [on other mobile OSes]," he added.
Details of the Flaw
When a new screen or window is shown, the GUI framework
allocates a fixed amount of memory in the shared memory
register
that's proportional to the size of the screen, Qian said.
This memory
is allocated inside the app process and shared with a
separate
window compositor process.
Shared memory is commonly adopted by window managers to
receive window changes or updates from running applications.
This
gives rise to the side channel.
When a user downloads a malicious app, the shared memory
lets
attackers steal information such as login credentials, and
obtain
sensitive camera images such as photos of personal checks
sent
through banking apps.
Existing attacks can be enhanced in stealth and
effectiveness by
providing the target UI states; further, user behavior can
be
inferred by tracking UI state changes.
How the Attack Works
The researchers first built a UI state machine based on UI
state
signatures constructed online.
In real time, they inferred UI states -- called
"activities" in Android
-- from an unprivileged background app.
They then exploited the designed functionality that allows
UI
preemption, commonly used by alarm or reminder apps on
Android,
to break the GUI integrity.
"This is akin to a combination of other well-known
flaws such as the
Trojan Horse approach," Al Hilwa, a program director at
IDC, told
LinuxInsider.
Trojan Horses capture user data with a decoy UI before error
messages are put out, and the real app is brought up once
the data
is stolen. However, in the researchers' attack, "the
real app is used
but another app is capturing the data, then throwing out an
error
message," Hilwa said.
The findings put paid to the common notion that downloaded
apps
cannot interfere with each other.
The Killing Fields
The researchers achieved success rates for their attacks of
92
percent for the Gmail and H&R Block apps; 86 percent for
Newegg's
app; 85 percent for the WebMD app; and 83 percent for the
Chase
Bank and Hotels.com apps.
They had the lowest success rate -- 48 percent -- with the
Amazon
app, because it allows an activity to transition to almost
any other
activity, making tracking difficult.
"We will shut down the vulnerability on Android first,
followed by
iOS," James Wu, CTO and COO of Newegg North America,
told
LinuxInsider. He expects these fixes to be in place by next
week.
"At this time, there is no indication that any H&R
Block client data
has been compromised as a result of this
vulnerability," said
company spokesperson Gene King.
"H&R Block takes privacy and security very
seriously, and we are in
contact with appropriate parties to address these
reports," he told
LinuxInsider.
The researchers had not yet notified Google of the flaw,
UCR's Qian
said.
On Responsibility and Defense
As for fixing the flaw, Newegg's Wu said, "everyone is
responsible
-- the OS makers, app developers and phone users."
The researchers "did a good job at pointing out and
educating
everyone about a possible vulnerability," he continued.
"Now it is up
to all of us to do something about it."
OS vendors could eliminate the shared memory side channel,
Qian
suggested, although that could impact backward
compatibility. Or
they could redesign the GUI framework to avoid frequently
allocating and deallocating memory, instead preallocating
double
the size of the memory. That approach would increase memory
consumption, though.
There are "not always perfect solutions," Qian
admitted, noting that
each imposes its own penalties.
Richard Adhikari has written about high-tech for leading
industry
publications since the 1990s and wonders where it's all
leading to.
Will implanted RFID chips in humans be the Mark of the
Beast? Will
nanotech solve our coming food crisis? Does Sturgeon's Law
still
hold true? You can connect with Richard on Google+ .
No comments:
Post a Comment