New Android security flaw can lead to data theft

Palo Alto Networks, which provides enterprise security, has shared new research highlighting security risks in the internal storage used by applications on Android devices. More than 94% of popular Android applications are potentially vulnerable, the company said.

Android Internal Storage is a protected area that Android-based applications use to store private information, including usernames and passwords. According to Palo Alto Networks, a criminal can steal sensitive information from most of the applications on an Android device using a feature in the Android operating system called the Android Debug Bridge (ADB) backup/restore function. Although Google has added security enhancements to Android, Palo Alto Networks added that those security layers can be bypassed.

Key details:

  •  Anyone using a device running version 4.0 of Android, code named Ice Cream Sandwich, or a higher version–about 85% of Android systems in use today–is potentially vulnerable
  •  To use ADB, an attacker would need physical access to the device, whether borrowing or stealing it from the user; an attacker could also take control of a system to which the device is connected via USB
  •  Over 94 percent of popular Android applications, including pre-installed email and browser applications, use the backup system, meaning users are vulnerable
  •  Many Android applications will store user passwords in plain text in Android Internal Storage, meaning almost all popular e-mail clients, FTP clients and SSH client applications are vulnerable
  •  Google has set the default for applications to allow back-ups; application developers are responsible for disabling the feature or otherwise restricting backups; however, the high percentage of applications that have not disabled or restricted backups suggests many developers are unaware of the risks

Palo Alto Networks recommends Android users disable USB debugging when not needed, and application developers to protect Android users by setting android:allowBackup to false in each Android application’s AndroidManifest.xml file or restricting backups from including sensitive information using a BackupAgent.

“We encourage users to be aware and Google to take a closer look at this storage weakness in Android. Given Android’s place as the world’s most popular mobile operating system, millions of users are potentially at risk,” warned Ryan Olson, Intelligence Director, Unit 42, Palo Alto Networks.

Read the technical details at the Unit 42 research blog.