back to article Sneaky devs could abuse shared libraries to slurp smartphone data

Oxford researchers reckon they've spotted the next emerging trend in Android advertising (and possibly malware): using common libraries to “collude” between apps with different privilege levels. Libraries are a common enough vector for attackers to target, but the trio of boffins (Vincent Taylor, Alastair Beresford and Ivan …

  1. Nick Kew Bronze badge

    Have I gone senile?

    Um, libraries are code, and code is not data. What have libraries to do with application privileges?

    Now if you'd talked of risk of a privileged daemon (or even kernel module) leaking to a supposedly-less-privileged app, that would make sense. And if you'd said android involves daemons managing various functions from user input to location tracking, so would that.

    Did I just wake up to find daemons (or something similar) are now called libraries? Or what am I missing? Are we back to the days when hardware was mapped to ordinary memory? Damn, your other story is April 1st.

    1. Anonymous Coward
      Anonymous Coward

      Re: Have I gone senile?

      I was thinking the same thing. The way shared libraries work, including on Linux upon which Android is based, the text and other read only data is shared, but writeable data (both initialized and uninitialized) is private, with each process having its own pages for that data.

      Thus I'm unclear on how a process is able to use shared library data to communicate to another process. Does Android provide some special support, or maybe Linux does via a method I'm not aware of? If the latter, maybe Android should just disable that, it would seem to have little value compared to the security risk.

      1. Anonymous Coward
        Anonymous Coward

        Re: Have I gone senile?

        Its not, what this is about is using shared libraries means that the library creator can embed crap into it that can mean that when its used across multiple applications all with different permissions means that the creator can end up with more access than anyone application has granted.

        One app can have been given access to you phone book, as this library is embedded in this app, it also has access to your phone book (android cant limit access to the library, it on the app only). Now you install a second app which includes this same library, it gets given access to your texts. Now this library and thus the creator of the library now has the possibility to access to you phone book and texts.

        What this is about is say facebook creating these super libraries that do all these great things, people use it in their apps. People then install them and grant limited permissions, but as they have many apps installed with many different permissions facebooks library ends up with them all when combined. This library can be written to send this limited data from each application back to facebook and be combined to be greater than each individual application could have provided.

      2. Anonymous Coward
        Anonymous Coward

        Re: Have I gone senile?

        ... how a process is able to use shared library data to communicate to another process.

        A hostile library should still be able communicate between instances, provided that it shares some namespace with these instances. This can be any namespace - files, or memory mappings, or tcp/ip, or sensor side channels - whatever is available. Once a communication channel is established, the library can access the union of the apps' permissions.

        There is nothing really unique about shared libraries in this attack vector - you can achieve the same result if you can subvert multiple applications in any other way. Shared libraries just provide a convenient insertion point for the hostile code.

      3. Charles 9 Silver badge

        Re: Have I gone senile?

        Think this way. A library has certain permissions due to app A, but suppose app B takes advantage of the privileged library to do its own snooping?

      4. Anonymous Coward
        Anonymous Coward

        Re: Have I gone senile?

        Just remember Android is not Linux. It is built upon Linux, but its applications are a mix of different code layers, including a lot borrowed from Java. Being designed as a slurping OS first, and being Linux and Java there just to lower development costs (Google get more from open source projects than it returns...), I wouldn't bet on its security model.

        Actually, the more an OS is designed to gather data about its users, the more open to leak those data is. Of course, together Android that's a risk for Windows 10 as well.

        1. Anonymous Coward
          Anonymous Coward

          Re: Have I gone senile?

          Well, then, what's the alternative? Roll your own? Then where will get mainstream support, especially from banks and the like who demand a signed OS?

  2. Lost In Clouds of Data
    Thumb Down

    Sadly, crap like this made me switch

    (This is not an Apple vs Android whine, despite what you might think)

    And shit like this is why, last year I switched to Apple. Not that the iPhone is a superior device to many of the top of the line Android phones, nor is the UI better (it's not). Indeed there's much to be annoyed about (Security patches rolled into OS releases? Aw, c'mon Apple).

    However, right now, Apple have a far better handle on App & Device security. Perfect? No, far from it, but that said, as of writing, devices from nigh on 4 years ago are STILL getting security [and, by virtue of my annoyance above] O/S updates, and are on scheduled to get iOS 11 as well.

    Meanwhile my old Nexus 6 (an admirable night clock - why oh why cannot Apple allow Apps to keep the screen on - such as Clocks - then have the O/S lock the moment you exit?) barely a nipper at 2.5 years old, will receive it's last security update (next month? month after?).

    This is a problem; people would like to keep their devices longer AND feel secure.

    I've no doubt that Google can fix this shared library issue, but let's be honest, an issue of this magnitude ain't gonna happen until Android 'P'. Already the Nexus 6 is stuck at Nougat (and not even the latest release either).

    These are Google devices dammit; people brought them because they were under their control; no carrier interference, no nothing. And yet they're already toast.

    I get the LGs, HTCs etc not getting more than a few updates, but Nexus and Pixel devices should be the equivalent of an LTS release - with support for at least security fixes spanning 4 years.

    Until then I'll be in Apple's camp. Not perfect (by any stretch of the imagination), but at least my 7 plus will receive patches for years to come.

  3. Pascal Monett Silver badge

    I cry foul !

    Google-analytics is not first ?

    Based on that fact alone I say this list is rubbish. Google analytics is everywhere. I just can't believe bloomin' Facebook is first.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020