[sjf]

There's not many details, it looks a failure of JVM sandboxing?

Ok, the actual paper describes the problem "popular GUI frameworks by design can potentially reveal every UI state change through a newly-discovered public side channel — shared memory".

The attack works by watching the size of shared memory in use in /proc, detecting UI events by allocations of shared memory, and then pre-empting the new screen with a phishing screen.

[giovannibajo1]

After some reading, the attack is basically threefold:

1) A service (with no permissions) can monitor /proc and come up with a way to identify Activity transitions, and pinpoint specific activities in specific apps. This is brilliant IMO.

2) With good timing, a service (with no permission) can inject a "phishing" Activity in foreground, just when the app is supposed to show its own Activity. This can be used to steal credentials, etc. Videos show that it works flawlessly, with perfect timing and no graphic glitches.

3) A service (with no permissions) can take camera pictures in background with no permissions, bypassing the permissions because of a bug (the camera preview into an OpenGL texture seems not guarded by app permission checks).

My comments:

#1 shows a security issue because of inheritance of bad security practices of desktop operating systems. Since applications don't need /proc (especially if they're supposed to always go through the framework, for security reasons), they shouldn't be given access.

#2 shows a glaring design bug in Android backgrounding system. The fact that a service can pop up an activity in front of an user while they are doing something else, is not only a UX mistake, but a clear security issue.

#3 seems like "just a bug", but the idea that any background service (with any permission level) could be taking pictures in background on any Android device is terrifying.

[fidotron]

Sounds to me like it detects the activity to activity transition (which on Android creates an Intent which is passed to the system and back via shared memory) and then does something else, i.e. display a fake password entry screen when the transition is detected.

It sounds like the actual Intent contents remain secure, however, the creation of an Intent while a particular app is in the foreground and using a particular amount of memory might be the kind of trigger they'd be looking for.

An OS level patch to get around this could involve preallocating shared memory for each application so that differences in it during the app lifecycle do not actually occur. Modern systems have enough RAM, and there are low enough limits on what is flying around, that this shouldn't be a problem.

[giovannibajo1]

or just remove /proc access from apps, which is totally useless.

[fidotron]

Actually it's not, and it would break enough that they wouldn't be able to do that without complaints. See the entire permission system for another case.

Therein lies Google's problem, as once anything is usable in public it does get used/abused. There are certain VM behaviours in compatibility mode which are like this, where outright bugs have to be preserved in later versions for the benefit of apps which aren't going to receive timely updates.

[stusmall]

I've seen /proc permissions from version to version. For example the available of /proc/last_kmsg changed at some point. In kitkat its only available to UID system and apps with android.permission.READ_LOGS[1]. Not sure exactly when this changed but this line wasn't present in 4.1.2.

1. https://android.googlesource.com/platform/system/core/+/mast... line 218

[sjf]

I would actually like to know what apps want in /proc that they can't get through the API.

[void-star]

Well... how do you suppose the API gets at all the things? (not everything is done across IPC/binder, much is in process)

[giovannibajo1]

The permission model in Android goes through the APIs. If you can bypass the API to go lower-level, then you're effectively giving up the security, and just waiting for some cool researcher (or attacker) to find ways to exploit them.

The above makes sense if you want to assume that you need /proc at least at some permission level. If you don't (which I think you don't), then it should simply be unmounted in the sandbox.

IPC is the standard way to get out of the sandbox, and should be used also for whatever features the APIs need /proc for.

[void-star]

ptrace is actually a more reliable way to get at remote process memory on Android, I think. I'd suspect this before /proc.

Also, /proc nor ptrace is "useless". Both are actually fundamental to several aspects of the underlying system that zygote runs on.

[peterwwillis]

They are calling the main attack UI state inference attack (looking at shared memory for window manager state changes) from which they begin an Activity hijacking attack (phishing). The camera attack is merely taking a picture right after a secured app (e.g. Banking app) has taken a picture.

The paper is linked in the article. Here are demos linked from their paper: https://sites.google.com/site/uistateinferenceattack/demos

[pritambaral]

TA mentions the researchers claiming similar attacks could be carried out on Windows and iOS too. Without more info, I suspect the failure isn't anything platform-specific like JVM sandboxing.