TU Braunschweig, Institute for Operating Systems and Computer Networks, Professors Dominik Schürmann and Lars Wolf are warning about a “Surreptitious Sharing” vulnerability which is present in many Android communication apps. Their pre-published research paper, Surreptitious Sharing on Android (pdf), is to be presented at the security conference GI Sicherheit 2016.
Their paper presents issues related to the security of URIs using the file scheme. The abstract explains, “Many email and messaging applications on Android utilize the Intent API for sharing images, videos, and documents.” Instead of sending the entire file via API, Android only exchanges Uniform Resource Identifiers (URIs) which point to the actual storage position. The researchers evaluated four email and eight messaging apps from a security vulnerability perspective of privilege escalation and data leakage and found that eight out of the 12 tested apps were vulnerable.
There has been a great deal of research along the same lines, but the researchers were interested in surreptitious sharing related to content sharing via file schemes, a vulnerability that mostly has been unreported. What they found, Schurmann explained, is that “in the worst case, this can possibly leak private keys stored by popular encrypted messaging apps, such as Threema, Telegram, or Signal.”
They used two scenarios showing how surreptitious sharing can be exploited.
In one exploitation example of surreptitiously sharing IMAP passwords, a malicious app could show a screen indicating the app crashed and include a button to report the bug to developers. However, in reality, “touching the button starts a malicious Intent specially crafted for a particular email client with an URI pointing to a private file of this email app, containing the IMAP password.”
The exploitation technique was successfully tested on K-9 Mail, AOSP Mail, Gmail and WEB.DE. To make it even more doubtful that a user would notice the data leakage, “and to circumvent protection mechanisms in Gmail,” they created a hard link named “bug-report.” They were not able to exploit Gmail on Android 6 (Marshmallow), noted Schurmann, due to new SELinux policies.
In scenario two, the researchers set out to exploit messaging apps and share their databases to obtain personal information such as message histories. This time, they used music sharing. “Instead of faking a crash followed by a bug report,” attack scenario two “consists of a functional music player also featuring a button to share music with friends via installed messengers.”
In attack scenario two, the researchers looked at five popular messaging apps on Google Play and also picked three privacy-focused ones. They were not able to exploit WhatsApp, Hangouts, Facebook Messenger or Snapchat. They “were easily able to execute the exploit” on Skype.
Threema supports encrypted databases, but they “were able to retrieve both the database and the key.” Much like with Threema, Signal’s database was vulnerable and they were able to make the app crash on each start. Telegram was also exploitable, even though they could not hide the filename or type with their tricks, but “using the hard link can help to make the user less suspicious.”
In conclusion, the researchers explained that of the 12 apps they analyzed for the Surreptitious Sharing vulnerability:
Our evaluation showed that 8 applications were exploitable and security checks implemented in GMail and AOSP Mail could be bypassed. Unfortunately, especially the privacy-focused messaging applications were easily exploitable. Hiding the private files by setting an explicit MIME type has been shown to work in Signal and Threema. Besides fixing the vulnerability, we recommend best practices for application developers [on] how to handle shared files.
Google was notified of the security issue on January 29. Developers of vulnerable apps K-9 Mail, WEB.DE Mail, Skype, Threema, Signal and Telegram were notified on February 1. Although developers for most of the evaluated apps responded quickly, Microsoft failed to even respond to the responsible disclosure; “thus, Skype is still vulnerable.” Ironically, Microsoft is listed as a sponsor of the security conference.
Although the research only looked at those specific apps, the researchers said it is important to note that “the issue is definitely present in many more apps besides the discussed ones.”
You can wade neck deep in the details of the issue as well as explore the countermeasures in the Surreptitious Sharing on Android (pdf) whitepaper.