back to article Memory troubling you, Android? Surprise! Another data slurp vuln uncovered

Yet another Android vulnerability has been revealed by researchers presenting at the Usenix conference: the way apps use memory can be exploited to leak private information with a success rate “between 82 and 92 per cent of the time”. Announced by the University of California, Riverside here, the researchers' paper [PDF] gives …

  1. Anonymous Coward
    Anonymous Coward

    Cult of crapple comes to rescue

    The idiots who are too dumb to not whet the app

    before installing end up buying iShiny things anyway,

    reducing the impact zone!

    Enjoy your false sense of security in the corporate defined

    walled garden, you self-obsessed overspending nincompoops.

    </troll>

    1. a53

      Re: Cult of crapple comes to rescue

      There's always a hater. Keep on buying your plastic thingie that has to be replaced every time there's an o/s update.

      1. RyokuMas Silver badge
        Happy

        Re: Cult of crapple comes to rescue

        @a53 - you think this is bad? Try having a reasonable discussion which involves balancing Microsoft's evils against those of other companies, and watch the accusations of "shill!" fly...

  2. codebeard

    Solution

    Even if you completely eliminate the side channel info leaks*, these kind of issues will remain as long as an app can hijack the running activity.

    Can it be made so that apps require a special permission to start an activity while another app is running? (Unless initiated by activating a notification or an intent by the currently running app.)

    If that's not possible, perhaps the change in app can be made more obvious in the UI. For example, if an app tries to start an activity while another is running, the old app could be shown to fade/zoom out to display the home screen for a fraction of a second, then fade/zoom in to display the second app? This could be accompanied by a hovering alert saying "Background process MyCoolGame is replacing MyBankApp". Sure, some users won't notice, but those that do will hopefully get the app reported. With increasing device resolutions, it may also be possible to show the current running app in the status bar (kind of like how a browser's URL bar mitigates against phishing attacks), which doesn't rely on the user noticing an animation.

    *Some methods to mitigate these side channels are to disallow access to other processes /proc directories, and delay and/or reduce the resolution or of other readable info like network stats (e.g. network counters could be delayed by a couple of minutes, and only be accurate to 1MB increments unless the app is privileged).

    1. Charles 9 Silver badge

      Re: Solution

      There's already a specific Android permission for this "Draw Over Other Apps". Thing is, like the article says, some apps need this functionality to interrupt user action. What's to stop this function being used for evil while at the same time being disguised as something plausible like an alarm clock?

      Sounds to me like the most robust way to handle this (separate the desktop compositor into a black box task and let the apps request their graphical resources from that) has drawbacks of its own such as memory and CPU/GPU costs.

      1. codebeard

        Re: Solution

        There's already a specific Android permission for this "Draw Over Other Apps".

        That permission is something unrelated. This article is about apps with no special permissions being able to intercept the whole activity, not draw over a specific part of another app.

        And for the record, "draw over other apps" is very dangerous and should only be granted sparingly to apps you really trust. Unless I trust an app AND the app has a good reason for needing it, I do not install anything asking for this permission.

        1. Dale 3

          I do not install anything asking for this permission

          Being able to understand what all those permissions actually mean, I suspect you are in the minority. For the majority the logic goes, more or less, "if I say No it won't install, so I guess the answer is Yes". The noble idea of app permissions is flawed by not being able to revoke them individually at install time or afterwards.

          1. Adam 1

            Re: I do not install anything asking for this permission

            >The noble idea of app permissions is flawed by not being able to revoke them individually at install time or afterwards.

            It would be a good start to be able to eliminate search results in play store by requested permissions.

          2. Tony Paulazzo

            Re: I do not install anything asking for this permission

            if I say No it won't install

            There are hundreds of barcode scanners on the Android market, most of them want ridiculous permissions, for eg, Barcode Scanner (first on the list): Device & App history, Contacts / Calender, as well as access to files / camera and wifi connection, but I found one - QR Droid Private that only asks for files / camera. That is the one I use.

            If there is an app you desperately want, email the developer and ask why they require so many permissions, I did that and he cut back on permissions required.

            As for sheep doing what sheep do, well, stupid is as stupid does I guess, all we can do is warn our family, friends, customers to be more aware.

            Altho' I do agree the permissions should be decided by the owner on a yes / no tick (except for maybe 'net access as free apps need to advertise),

          3. RyokuMas Silver badge
            Thumb Up

            Re: I do not install anything asking for this permission

            Urgh, tell me about it. I've seen it a few times from the developer's side - SDK [blah] looks really useful until you realise it needs permissions X, Y & Z in order to use it, some of which make no sense whatsoever!

            These days, if an SDK requires permissions I don't like the look of, it simply doesn't go into my app, no matter how useful it may look. It's difficult enough trying to design so that all users enjoy the app without introducing a rod for your own back, even if it does mean a bit of extra dev. time.

          4. Charles 9 Silver badge

            Re: I do not install anything asking for this permission

            "The noble idea of app permissions is flawed by not being able to revoke them individually at install time or afterwards."

            And remember, this was demanded of app devs before they would even start developing apps on Android. Otherwise, Apple would still be top dog. So now it's a tug of war. Since it's the devs who pay Google actual money to get their apps out there, they're the ones who have Google's ear. End customers can't really influence Google (one leaves, another takes his place) unless they trigger a mass-exodus, and even there, where would you go (Blackberry is foundering and Microsoft and Apple each have their own issues)? Plus, if faced with the prospect of user-customized permissions, devs could still balk and either make their app unusable without all the permissions or simply abandon Android and go back to Apple.

            1. codebeard

              Re: I do not install anything asking for this permission

              And remember, this was demanded of app devs before they would even start developing apps on Android.

              Personally, I think this story is a little apocryphal. Furthermore, it's entirely irrelevant.

              Regardless of any so-called commitments made to app developers in the past, Google should just say "in the best interest of users, and in a world increasingly hostile to user privacy, we are now giving users more control over permissions." Android already has a great market share (over 60%), and it would only increase if Google start giving users proper control over their privacy. And as time goes on in this post-Snowden world, user demand for this will continue to increase.

              Google makes almost no money from developers. They make money from ads, and a little by taking a cut from play store sales. Users not installing apps means users not seeing those ads and not paying for those apps in the play store. It is in Google's financial interest to put users at ease by giving them the power to install apps they would not have otherwise installed due to security/privacy concerns. Furthermore, this has a double benefit of hurting their advertising industry competitors who are making dirty money selling contact data harvested from dodgy apps etc, because users will stop giving contact access to those apps.

              If developers leave the market or make their apps unusable upon Google giving users more control, it is their loss and they know it. Android has a growing market share and developers would have to be idiots to just give that up.

              1. Charles 9 Silver badge

                Re: I do not install anything asking for this permission

                The problems with your idea are (1) if Android is gaining market share, they could employ captive-market tactics. Barring a mass exodus, Google can just wait it out. (2) Google ITSELF mines tons of data. Blocking consumer demographics access would be shooting themselves in the foot.

        2. Anonymous Coward
          Anonymous Coward

          Re: Solution

          Then you must be staring at a blank screen because out of the box many android apps preinstalled ask for ludicrous permissions. And those permissions change with updates.so just because version 3 ask for certain rights that saeem acceptable doesn't mean version 4 update doesn't ask for the same. I have personally seen this and was shocked as to why it did not ask my permissions first. A very well known side door that is wide open.

          There is no privacy anymore, its gone with the dodo. Security is a myth, and when doing anything out in public or any device connected to the internet I always, always follow the same rule: assume everything you do is being monitored by someone else waiting to use it against you. Paranoid, true, but really, how far off base am I with google glass, the NSA and hackers wanting any and all info about me. Different world folks, get use to it.

  3. psychonaut

    a what?

    A picture of a cheque for a banking app?

    Are they from the past? Theyll be faxing them next

    1. sabroni Silver badge
      Happy

      Re: a cheque?

      I know! A way of transferring money from my bank where I specify the exact amount! How old fashioned. Give me Direct Debits anyday, I trust all the companies I deal with implicitly!

      1. Robert Helpmann?? Silver badge

        Re: a cheque?

        The article mentioned banking apps using photos of checks/cheques as an example. There are plenty of other things that being able to essentially capture a screen shot might accomplish. There are plenty of examples of extortion schemes on FB over "private" pictures that have come to light, for example.

  4. Pascal Monett Silver badge
    Flame

    Re "should only be granted sparingly to apps you really trust"

    Agreed.

    Unfortunately, these bloody "smartphones" are not asking me what I trust.

  5. RyokuMas Silver badge
    Devil

    Android...

    "All the security you've come to expect from Windows on your mobile device!"

    ... okay, maybe not that bad. But now is the time to be vigilant, lest Android suffers the same fate as Windows and start collapsing under its own weight.

  6. James 51

    What about BB7/BB10?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020