August 22, 2014
Novel Method Can Hack Popular Apps With Up To A 92 Percent Success Rate
redOrbit Staff & Wire Reports - Your Universe Online
A new security vulnerability in mobile operating systems could allow hackers to gain access to a user’s personal information with a surprising success rate, researchers from the University of California, Riverside and the University of Michigan claim in a new report.
According to Sean Nealon of Phys.org, study authors Qi Alfred Chen, Zhiyun Qian, Z. Morley Mao reported that they believe the flaw exists in Android, Windows and iOS platforms, though they only demonstrated it using an Android device.
The method was found to be successful between 82 percent and 92 percent of the time on six of seven popular apps tested, including those of Gmail, Chase Bank, WebMD and H&R Block, according to reports. Only the Amazon app, with a success rate of 48 percent, proved to be somewhat more difficult to crack.
The authors, who will present their findings Friday at the USENIX Security Symposium, explained that the type of attack is known as a user-interface (UI) state interference attack, said CBS News reporter Michael Roppolo. This type of attack allows hackers to run the malicious software in the background without the user being alerted to the activity.
“The researchers say it could allow a hacker to steal a user's password and social security number, peek at a photo of a check on a banking app, or swipe credit card numbers and other sensitive data,” Roppolo explained. “In Android, an entry point that the researchers call a ‘shared-memory side channel’ could allow hackers to detect what's going on in a user's app,” and iOS device and Windows phone users could also be affected by the issue.
“A user would be vulnerable if they downloaded an app that appeared to be benign but in reality was malware; hackers could then exploit this vulnerability to observe whatever personal data the user entered,” the CBS reporter added. “One example might be when a user opens a banking app and logs in. The hacker would be notified and could begin an ‘activity hijacking attack,’ allowing them to get a user's personal information.”
While the authors report they have yet to test their method on other mobile platforms, they believe that it will work because the operating systems share one of the features exploited during the Android system test. The researchers began investigating the method because they believed there were security concerns associated with so many different apps being created by the same developers and running on largely the same shared infrastructure.
“The assumption has always been that these apps can’t interfere with each other easily. We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user,” Qian said. “By design, Android allows apps to be preempted or hijacked, but the thing is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique.”
Unique, and effective, according to the University of California, Riverside. Qian, an assistant professor in the university’s Computer Science and Engineering department, and his colleagues reported a 92 percent success rate in attacking both Gmail and H&R Block using this new method.
Their technique was 86 percent successful against Newegg, 85 percent successful against WebMD, and 83 percent successful against Chase Bank and Hotels.com. Only the Amazon app had success rate of under 80 percent, and the authors explained that it was “more difficult to attack because its app allows one activity to transition to almost any other activity, increasing the difficulty of guessing which activity it is currently in.”