Android apps wrongly using SD Card might lead to hacking


In another discovery which raises concerns about cybersecurity, security firm Check Point has found a flaw that lets hackers take advantage of Android apps that make poor and unprotected use of external storage.

This exploit could allow hackers to install malware, make apps crash, and prevent other legitimate apps from running.

Here's all about the risks, and how you can protect yourself.

First, the basics of storage on Android devices

Internal v/s External

Android apps have two options for storage - a secure, internal storage, and a less secure external SD card-based storage.
While a phone's internal storage is carefully secured, external storage allows data to be shared between apps and doesn't have the same security.
Albeit this doesn't always translate to a security threat, developers who use external storage wrongly might give hackers a way in.


How attackers can leverage the external storage vulnerability

Attack

Researchers from Check Point found that some Android apps were unnecessarily relying on unprotected external storage, and didn't even bother to verify the data that came in from SD cards.
This allows attackers to get users to install seemingly innocuous apps, and get permission to use external storage (which is widely regarded as not suspicious).
Once the permission is granted, hackers can exploit it.

Details about the 'man-in-the-disk' attack

Details

Check Point dubbed such potential attacks "man-in-the-disk" attacks.
Using it, malicious apps with the permission to use external storage can monitor, and if required, overwrite data between a device's external storage and other apps.
Notably, Check Point also found that Google Translate, Google Voice Typing, and Xiaomi Browser, among other un-notable apps, also didn't verify the integrity of data from external storage.

How you can protect yourself from potential attacks

Protection

Check Point had notified Google and Xiaomi of its findings pertaining to their apps' misuse of external storage.
While Google released a fix shortly, Xiaomi hasn't responded yet.
Meanwhile, what you can do to avoid falling prey to such attacks is to avoid downloading strange, unverified apps from Google Play Store.
Beyond that, there's not much to be done.
Previous Post Next Post