Thanks to Ignorant App Developers
At Defcon 2018, we have so far witnessed many innovative forms of compromising devices including electoral voting machines. However, this latest revelation “Man-in-the-disk Attack” is quite surprising and to a great extent concerning for Android users.
According to researchers at CheckPoint security firm, the new attack method dubbed as Man-in-the-disk can exploit storage protocols of third-party apps to crash the mobile phone. It is indeed a novel technique because so far storage systems have been overlooked by security researchers and developers. This leaves the devices at risk of Man-in-the-disk attack. There will be drastic consequences of this attack, researchers claim.
After the app is installed, the attacker can easily monitor whatever is written to the external storage. If an attacker wants, he can modify or even remove/replace data with something else.
For your information, there are two types of storage systems in an Android phone, internal and external. Internal storage is protected via a dedicated sandbox. Conversely, the external storage mechanism utilizes a removable SC or microSD card. It is the external storage that is shared across the OS since it allows data transfer between apps. Whatever you send or receive through an app, will be stored in the external storage.
The problem is that there aren’t any built-in protections against sharing compromised or infected data. Google has provided developer guidelines in this regard to ensure best security practices. Such as it developers much not allow critical data files and executable files to be stored in the external storage. Moreover, external storage files must be cryptographically signed and verified before dynamic loading.
However, these guidelines are often ignored by developers; probably they aren’t fully aware of the probable security risks associated with it. CheckPoint researchers identified that about half of the Android apps available on Google Play did not comply with Google’s developer guidelines. In fact, even Google’s own developers didn’t follow them because researchers identified non-compliance issues in Google’s apps too. These include Google Translate, Google Text-to-Speech, and Google Voice Typing. Other apps examined by researchers were Yandex Translate and Xiaomi Browser.
While the buffer overflow vulnerabilities were generated by careless developers everywhere, it wasn’t until OS and CPU makers took a stand against this, introducing DEP and ASLR protections, that the problem was averted. In the heart of this was the realization that developers cannot always be trusted to follow security guidelines, explained CheckPoint.
Video demonstration
The video demonstration of the Man-in-the-disk attack on Yandex Translate and Xiaomi Browser are available here and here while demonstration for the attack on Google Voice Assistant can be watched below:
The consequences of such ignorance will be that the data written by an app to the external storage will be at risk of exposure. Millions of Android phones are currently at risk and users cannot do much to protect their devices from the Man-in-the-disk attack. According to Check Point’s official blog post on this issue, data present in the external storage can easily be manipulated by interlopers.
“Such practice offers an opportunity for an adversary to manipulate the data held in the External Storage before the app reads it again.”
The technical details for Man-in-the-disk attack are available here.
