A weakness believed to exist in Android, Windows and iOS operating systems could be used to obtain personal information from unsuspecting users, research at the University of
The method was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Gmail,
The hack is particularly dangerous because it allows attackers to time the moment that they present the user with a fake screen to when the user is expecting to enter sensitive data.
"We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen," said
Chen, who works under Zhouqing Morley Mao, an associate professor electrical engineering and computer sciences at U-M, will present the research on
Chen, Mao, and co-author
"The assumption has always been that these apps can't interfere with each other easily," said Qian, a recent doctoral graduate from Mao's group. "We show that assumption is not correct, and one app can in fact significantly impact another and result in harmful consequences for the user."
The attack starts when a user downloads a seemingly benign app, controlling the phone's wallpaper for instance. When that app is running in the background, attackers can access the shared memory without needing any special privileges.
The researchers monitored changes in the shared memory and correlated the changes to what they call an "activity transition events." These included logging into a service or photographing a check so that it could be deposited online. Augmented with a few other side channels, the team could fairly accurately track user activity in real time.
Chen suggests that check images are a particular risk. "A camera-peeking attack can steal your account number, home address and even your signature," he said.
The researchers created three short videos that show how the attacks can steal login and social security information from
Of the seven apps, Amazon gave the team the most trouble, with a 48 percent attack success rate. This is an accident of the app's flexibility - it allows one activity to transition to almost any other activity, increasing the difficulty of guessing what the user will do next.
Asked what a smart phone user can do about this situation, Qian said, "Don't install untrusted apps."
Chen added that users should also be wary of the information access requested by apps on installation. It is dangerous to allow access to the user interface state, which is the channel that the team used to time their attacks.
On the operating system design, a more careful tradeoff between security and functionality needs to be made in the future, Qian said. For example, side channels need to be eliminated or more explicitly regulated.
The paper is titled, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks."
This release was prepared in collaboration with
TNS 30TagarumaMar-140822-4835507 30TagarumaMar
Most Popular Stories
- Bently Creates Alabama Small Business Commission
- Is Alibaba's IPO Price a Fairytale?
- When to Say No to Investors, Yes to Mentors
- Los Angeles Angels Clinch Playoff Spot
- U.S. Producer Prices Held Steady in August
- Bolivar Appointed to NSHMBA National Board
- Sanctions Push Russian Ruble to Historic Low
- U.S. Tobacco Growers Lose Last of Price Supports
- Hispanic Buying Power Slow but Growing in South
- Scottish Leaders Scramble for Votes on Independence