The researchers who hacked into Gmail on Android were able to show that apps can interfere with each other and that’s the really scary part.
We may become inured to any information about hacking of our personal applications and data. It’s going to be simple because the urgency of security failures is being reduced by the number of points of failure.
Today’s news is dominated by the story that Gmail was hacked on an Android app by getting one app to effectively spy on another one.
The attack actually uses a method that bypasses the “sandboxing” of apps within the platform. Essentially, apps aren’t supposed to be able to interfere with each other so, researchers at the University of Michigan and NEC Labs America hacked the User Interface (UI).
In the paper to be delivered today at hte USENIX Security Symposium in San Diego the researchers point out the the security of an Android phone’s UI can be compromised by background apps.
The following videos amply demonstrate the hijacking of the phone using the UI. H&R Block, Chase, and NewEgg are shown here but not Gmail.
Data from the Graphical User Interface (GUI) is stored in memory that is shared by all apps and in 6 out of 7 popular Android apps, the researchers showed that they could compromise that GUI data for other apps and steal the user’s input data.
So, essentially, the background app from the researchers has found a way to figure out what is going on on your phone screen by looking at the memory configuration of your display. You input your login and password into an app and the researchers get to see it, and they did the vast majority of the time.
So, this isn’t just a case of a Gmail vulnerability. That makes for a great headline. But, I would be more concerned about having my banking app hacked or the fact that this is a method that exposes almost any app running within the system that is using the standard processes for the UI and GUI of the phone.
The researchers were tracking activities and even hijacking and peeking into the camera.
The good news is that the researchers have offered ways to eliminate the “side channel” where the data they accessed is stored and ways to make the system more secure.
Check out the paper by the researchers: Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks.
This was a much bigger and scarier attack than getting into Gmail, even though that is pretty scary.