Researchers Hack Gmail With 92 Percent Success Rate

A reader sends this report from CNET: Researchers at the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information. Although it was tested only on an Android phone, the team believes that the method could be used across all three operating systems because all three share a similar feature: all apps can access a mobile device's shared memory. "The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an associate professor at UC Riverside. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user." To demonstrate the method of attack, first a user must download an app that appears benign, such as a wallpaper, but actually contains malicious code. Once installed, the researchers can use it to access the shared memory statistics of any process (PDF), which doesn't require any special privileges.

Blast from the past

[Megane]

Blocking access to the memory space of other processes has been a solved problem since timesharing in the '60s and '70s, right?

I assume they aren't running in a flat address space with no MMU, so maybe the problem is that the apps all operate under the same user ID, which bypasses the usual multi-user protections. Perhaps "run each app with a unique user ID" will be something we'll see a lot of in the next few years, like the no-execute bit and ASLR were in the 2Ks?

Re:Blast from the past

[sumdumass]

Corect me if i'm wrong.

In desktop and server os'the memory allocation is controlled by the os. So couldn't a solution be having the OS control direct memory acces and just present the ap with a table in order to mimic current practices and backwards compatability? Or would that be too much overhead for these devices?

Or am i way off base here?

Re:Yawn.

[SansEverything]

There's an important detail which, for me at least, is surprising. From the paper:

"In this paper, we report that on the Android system (and likely other OSes), a weaker form of GUI confidentiality can be breached in the form of UI state (not the pixels) by a background app without requiring any permissions."

No permissions required, OUCH. The permission system was already considered useless, because all apps abuse permissions, but this really puts a nail in its coffin.

You download a simple Wallpaper app, or whatever, that requires no permissions to check your call data and other bullshit. What harm can it do, right? WRONG. If the flaw is in the window manager implementation, I wonder if this will be even fixed! And other OSes might be vulnerable.

Re:tl;dr

[vux984]

An immediate work-around would be to randomly place the log-in screen within a pre-determined area such that the hostile app would be unable to immediately overlap it. The double image will tell the user something is wrong.

The double image will tell the user something is wrong.

How is that a work around?

Its a phone. The login 'window' is going into a 3" to 5" space and is full screen in nearly every implementation. The 'popup' that the hostile app preempts simply covers the whole screen.
All in all not a particularly powerful attack vector.

Quite the opposite. Its a very powerful attack vector; and given the surprisingly good ability to time the pre-emption a very dangerous one.