Researchers find Android security issue in app permissions protocol

  • 16 April 2014
  • 1 reply
  • 6 views

Userlevel 7
Researchers find Android security issue in app permissions protocol 
by Danielle Walker
 
The permissions issue could allow a malicious app to alter legitimate home screen icons. Analysts discovered an Android app permissions issue, which could ultimately allow a crafty saboteur to redirect users to spurious sites using malicious apps.
In a Monday blog post, FireEye researchers detailed the problem: an inadequate security protocol affecting Android platforms 4.1 to 4.4.2, where some app permissions, categorized as “normal”, open users' data to dangerous exploits.
FireEye also found that devices using non-Android Open Source Project [asop] launchers, such as Nexus 7 running CyanogenMod 4.4.2, Samsung Galaxy S4 running Android 4.3, and HTC One running Android 4.4.2., were impacted by the issue. In a proof of concept attack scenario, researchers demonstrated how a malicious app with two “normal” permissions was able to modify legitimate home screen icons on users' devices. After doing this, an intruder could orchestrate attacks targeting users' sensitive data. In the attack scenario, researchers showed how victims could be redirected to phishing websites, once they clicked modified icons. FireEye explained that ASOP uses an app permissions classification process, which will alert users to apps requesting “dangerous” permissions, by requiring their confirmation before users install the app. In contrast, apps asking for “normal” permissions can be downloaded without the added step. "An attacker can still manipulate Android home screen icons using two normal permissions: com.android.launcher.permission.READ_SETTINGS and com.android.launcher.permission. WRITE_SETTINGS”, the blog post said. “These two permissions enable an app to query, insert, delete, or modify the whole configuration settings of the Launcher, including the icon insertion or modification. Unfortunately, these two permissions have been labeled as ‘normal' since Android 1.x".
In a Monday email to SCMagazine.com, Hui Xue, a senior engineer at FireEye who co-authored the blog post, said that the company notified Google of the issue last October. In response, Google replied in February that it had released a patch for its original equipment manufacturers (OEMs) remediating the issue. Despite the patch's availability, many users still await a fix from their vendors, Xue added. “Vendors do need to incorporate the patches”, Xue said. “Before updates from vendors, users have to take extra caution when using icons”. FireEye said that it has not seen any evidence of attempted exploits leveraging the vulnerability.
 
Full Article

1 reply

Userlevel 7
The following article is a update on Android permissiion protocol
(Malicious app can get past Android WITHOUT PERMISSIONS)
 
By Richard Chirgwin, 22 Aug 2014
 
 
Researchers presenting at Usenix have lifted the lid on yet another Android vulnerability: the way apps use memory can be exploited to leak private information with a success rate “between 82 and 92 per cent of the time”.
Announced by the University of California, Riverside here, the researchers' paper gives a pretty good idea of what's going on in its title: “Peeking into Your App without Actually Seeing It: UI State Inference andNovel Android Attacks”.
 They note that UI state can be spied on by a malicious app without requiring any permissions, in what they call a “UI inference attack”. Their demonstration included stealing login credentials and obtaining sensitive camera images taken by the user (in the demo case, they copied a cheque a user had shot for use with a banking app).
 
The Register/ full article here/ http://www.theregister.co.uk/2014/08/22/malicious_app_can_get_past_android_without_permissions/

Reply