Researchers highlight significant security weakness in mobile devices

Researchers, including an assistant professor from the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to steal personal information.

In a paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks,” that was presented August 22 at the 23rd USENIX Security Symposium in San Diego,  Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a PhD student working with Mao, found that they could hack six of seven popular apps between 82% and 92% of the time on the Android platform, and believe the same flaw is present on other operating systems because they share the Android feature that they exploited.

Gmail and H&R Block apps were the most vulnerable with a 92% success rate, followed by Newegg at 86%, WebMD, 85%, then CHASE Bank, 83%, and Hotels.com also at 83%. Amazon, with a 48% success rate, was the only app they tested that was ‘difficult’ to penetrate – and even then they were successful almost half the time. Some of these apps are more popular in the US than in Asia, but Asian apps are likely to be equally flawed as they would all depend on the same operating system.

Once a user downloads several apps, they share the operating system on the phone. If a malicious app is downloaded, it can check shared memory statistics without asking for permission, allowing it to determine when desired activities are taking place, such as when someone logs into Gmail, or taking a picture of a cheque to be deposited online.

Amazon was more difficult to attack because its app allows one activity to transition to almost any other activity, increasing the difficulty of guessing which activity it is currently engaged in.

“The assumption has always been that these apps can’t interfere with each other easily,” Qian said. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”

“By design, Android allows apps to be preempted or hijacked,” Qian added. “But the thing is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique.”

The researchers created three videos that show how the attacks work. They can be viewed here.

Asked what a smart phone user can do about this situation, Qian said, “Don’t install untrusted apps.” On the operating system design, a more careful tradeoff between security and functionality needs to be made in the future, he said.