Divide Between Work, Personal Data on Android Breached

SAN FRANCISCO–Researchers here at the RSA Conference demonstrated Thursday a way a hacker can bypass enterprise mobility management sandboxing tools known as Android for Work that are designed to segregate work and personal data on Android devices.
In a proof-of-concept demonstration, researchers from Skycure showed how two separate malicious apps can circumvent Android’s multiuser framework designed to secure a work profile from a personal profile on a single device. The prerequisite of the attacks hinge on a targeted victim downloading apps in their personal profile that grants attackers heightened privileges over the device’s Accessibility Services and Notification permissions in both work and personal profiles.
Related Posts
The Google feature, commonly known as Android for Work is referred to by Google as “work features in Android.” The EMM managed service allows businesses to secure work-related data and apps on Android devices as well as enforce OS security features such as verified boot.
Victims targeted by what Skycure is calling an app-in-the-middle attack face two different types of threats. In one proof-of-concept attack, researchers created a fictitious app called NotiMirror that offers users the ability to mirror mobile notifications to a desktop.
When NotiMirror is installed, the app requests permission to take control of the device’s mobile notification features and has the ability to send all mobile notifications received by the device, including SMS messages, to a third-party server.
“Since Notifications access is a device-level permission, a malicious app in the personal profile can acquire permission to view and take actions on all notifications, including work notifications, by design. Sensitive information, such as calendar meetings, email messages and other information appears in these notifications, which are also visible to the ‘personal’ malicious app,” according to a Skycure research report written by Yair Amit, co-founder and CTO at Skycure.
In another attack scenario, demonstrated at RSA, an attacker can hijack mobile notifications related to SMS messages tied to a password reset request to gain access to enterprise resources such as Salesforce and Slack.

“This presents a serious threat to the use of Android for Work as a secure sandbox for mobile work productivity, as EMM solutions have no mechanism to recognize or defend against it. The attacker may even capture two-factor authentication and administrators will not have any visibility of the theft,” wrote Amit.
A second attack involves exploiting Android’s Accessibility Service that offers audible narration of on-screen text for visually impaired users. For this proof-of-concept, Skycure created an app called StickiWiki that requests permission to monitor all content on the device’s screen. The premise of the fictitious apps is to allow users to execute a “@Wiki:” shortcut command to insert abbreviated Wikipedia entries into any Android applications such as chat or email.
食品安全工作实务知识大比拼
Despite the fact the app is installed on the user’s personal profile, StickiWiki monitors all content viewed on the Android device. Next, when a user accesses their work profile and views protected content, an adversary can use StickiWiki to harvest all text on the screen and silently send it to a third-party server.
“This app-in-the-middle resides in the personal profile, yet is effective in stealing corporate information as the user interacts with it. The personal profile cannot be monitored or controlled from the work profile, so even if IT administrators try to enforce security on the work profile (e.g., by restricting the profile settings or allowing only whitelisted apps) it won’t be possible to detect any exposure of sensitive information that uses the Accessibility Service, as they cannot access the personal profile,” Amit wrote.
Skycure notes that Accessibility Services only permits some apps, identified via application package names, from accessing its features through a whitelisting function. In order to bypass those whitelisting restrictions Skycure said it gave the malicious app the same package name as the whitelisted legitimate apps.
智能手机成为个人隐私的告密者,不少程序开发商收集设备信息并将其存储于第三方服务器,以此构建广告,几乎所有免费程序都使用广告软件,这样提供免费应用的开发商才能有收入。
Skycure said it disclosed its research to Google. In response, Google noted since the app was not distributed via Google Play and required a user to overtly grant excessive permissions to the two apps, it doesn’t view it as a threat to its Android work multi-user framework, Amit said.
“The apps outlined in our research illustrate real-world exposure risks,” Amit told Threatpost. “Apps that utilize the relevant Accessibility and Notification permissions are prevalent in Google Play and other sources – while most are used for good reasons,” he said. “Because of the flaws we outline in our research, they are by design endangering the most sensitive corporate data stored on Android business profiles.”
组织的IT管理层也应评估一下新的战略选择,来更好更安全地满足业务的应用系统需求。是内部开发、外部采购,还是使用开源系统?

猜您喜欢

【今日看点】GMIC2014 上那些值得关注的话题(下)
如何检测及应对数据泄露
包含灭火器使用等消防设施和器材操作的在线EHS动画培训课程
芭蕾美女泳装现身茶园
DELPHICOMPONENT KNOXCOUNTY
建立安全意识培训计划——防范安全事故最便宜的方法