A new vulnerability facing Android apps has come to the fore, which allows an attacker to gain access to the external storage of an Android device and meddle with the data stored there — dubbed as the ‘Man-in-the-Disk’ attack.
Android hasn’t been at their very best when it comes to the security of users but they have been trying to improve and have taken many new steps. You can also check out the new security features in the Android 9 Pie update.
Researchers at Check Point have found out this shortcoming in the way Android apps use the storage resources of the device. This could lead to a number of issues such as a silent installation of malicious apps, malware codes and could cause the source application to deny service and crash.
The thing to note here is that it’s not the authors/developers of this app that have ill-intentions but they might just provide a door to an attacker due to their carelessness about the usage of the external storage.
Although Android employs Sandbox security technique — which makes sure that an app doesn’t access data stored by other apps — to its internal storage but the external storage of the device isn’t protected by the same.
This means that if the developer fails to employ the security precautions as suggested by Google’s Android documentation, they’ll leave their app and user’s data on the external storage vulnerable to an attack.
Also read: Redmi K20 Pro vs Google Pixel 3a
How does the attack work?
This allows an attacker to modify the data in the External storage before it’s read by the app again.
According to the researchers, “In this way, the attacker has his ‘Man-in-the-Disk’ looking out for ways in which he can intercept traffic and information required by the user’s other existing apps, and offer a carefully crafted derivative of the data that would lead to harmful results.”
An attacker can harm the user in the following ways:
- Installing a malicious application in the background without the user’s knowledge
- Crash the application that has been attacked
- Injecting a code to modify the permissions granted to the attacked app and gain access to the camera, microphone, contact lists and more from the user’s device
- The more the number of permissions required by an app, the easier it gets for the attacker to access more data
Guidelines laid down by Google for external storage usage
According to Google, “Files created on external storage, such as SD cards, are globally readable and writable. Because external storage can be removed by the user and also modified by any application, don’t store sensitive information using external storage.”
- You should Perform input validation when handling data from external storage as you would with data from an untrusted source
- You should not store executables or class files on external storage prior to dynamic loading
- If your app does retrieve executable files from external storage, the files should be signed and cryptographically verified prior to dynamic loading
- Rather than using external storage (which requires permission), store data on the internal storage.
Google points out the security risk very clearly in its guidelines too: “Many applications attempt to load code from insecure locations, such as downloaded from the network over unencrypted protocols or from world-writable locations such as external storage. These locations could allow someone on the network to modify the content in transit or another application on a user’s device to modify the content on the device.”
Vulnerable applications found by researchers
The researchers found out that among many others, Google Translate, Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser were vulnerable to the ‘Man-in-the-Disk’ attack.
In case of the first three apps — Google Translate, Yandex Translate and Google Voice Typing — it was found that the developers had ‘failed to validate the integrity of data read from the External Storage’.
So, the researchers were able to compromise certain files required by these apps and made each one of them crash.
Xiaomi Browser had it even worse. They were found to be using the external storage for application updates. The researchers were able to carry out an attack where they were able to successfully replace the update code.
Doing this they were able to install an alternative, undesired application instead of the official update.
Xiaomi hasn’t addressed the vulnerability yet
As is always the case, the researchers reached out to the vulnerable app’s developers before publishing their findings but while Google worked on its apps’ shortcomings, and the others are working on it (names will be disclosed after the vulnerability is patched), Xiaomi chose not to address it at this time.
This can be an issue for Xiaomi users as they’re left vulnerable to ‘Man-in-the-Disk’ attacks until the vulnerability is patched by the company.
Since the browser app is used or at least kept by all of the Xiaomi device owners — since it cannot be deleted from the device — this can prove to be an issue for the company and it’s still not clear why they have chosen not to address a security concern at the earliest.