“Sandboxes” are the foundation of Android security.
One of the main principles of Android is that all applications must be isolated from each other. For this purpose, the so-called “sandboxes” are used: each application and its files exist in a separate “sandbox”, to which other applications do not have access. The idea is that even if a malicious application penetrates the Android device, it will not be able to steal data stored by other good programs (for example, login and password of your banking application or correspondence in the messenger). It is easy to guess that hackers are constantly trying to find new ways to circumvent this mechanism - this is called "escape from the sandbox". From time to time they succeed. For example, at the DEF CON 26 conference, researcher Slava Makkaveev presented a report on how an application that does not have any particularly dangerous or suspicious rights can escape from the sandbox. By analogy with the well-known type of man-in-the-middle attacks he called this technique Man-in-the-Disk.
How the Man-in-the-Disk attack works
In addition to those areas inside the sandbox, in which application files are stored separately, there is also a common external storage in Android. The application must ask permission from the user to access this repository - "Reading from memory or memory card" (READ_EXTERNAL_STORAGE) and "Record in memory or on a memory card" (WRITE_EXTERNAL_STORAGE). These rights are usually not considered dangerous, and almost all applications request them - so there is nothing suspicious in such a request. Applications use external storage for many useful things - for example, to share files with each other or to transfer files between a smartphone and a computer. Beyond that, external storage is often used to temporarily store data downloaded by an application from the Internet: at first, this data is recorded in the publicly accessible part of the disk and only then transferred to an isolated area that only this application has access to. For example, an application may temporarily store there any additional modules that it installs to extend the functionality, additional content or updates of this application. The difficulty lies in the fact that any application with reading access from external storage and writing to it can access these files and modify them by adding something malicious to them. That is, it may happen that you put on your smartphone some seemingly innocuous application - for example, a game. Herewith, it can infect your smartphone with something truly unpleasant. Android creators understand that using external storage can be dangerous and about this, on the website of the operating system there are even some useful tips for developers.
How to protect Android from Man-in-the-Disk attack
The above list is not all programs in which this problem occurs: most likely, vulnerable programs are much, much more. The list above is not all programs in which this problem occurs: most likely, vulnerable programs are much, much more. The researcher chose some really popular ones to demonstrate how bad things are.
How to protect yourself? We have some simple tips:
- Install applications only from official stores, such as Google Play. Malicious viruses sometimes wide into them, but at least there they are less common, and they are regularly removed.
- Disable the ability to install applications from third-party sources in the settings of your smartphone or tablet (these sources are the most dangerous). To do this, uncheck the box next to Settings -> Security -> Unknown sources.
- Choose applications from trusted developers. Look at the rating of the application and read reviews about it. If something looks suspicious - it is better not to install such an application.
- Do not install unnecessary applications. The fewer applications you have on your smartphone, the lower the risk.
- Do not forget to delete applications if you no longer need them.
- Use a reliable mobile antivirus that will warn you in time that a malicious application is trying to sneak into your device.