| After some reading, the attack is basically threefold: 1) A service (with no permissions) can monitor /proc and come up with a way to identify Activity transitions, and pinpoint specific activities in specific apps. This is brilliant IMO. 2) With good timing, a service (with no permission) can inject a "phishing" Activity in foreground, just when the app is supposed to show its own Activity. This can be used to steal credentials, etc. Videos show that it works flawlessly, with perfect timing and no graphic glitches. 3) A service (with no permissions) can take camera pictures in background with no permissions, bypassing the permissions because of a bug (the camera preview into an OpenGL texture seems not guarded by app permission checks). My comments: #1 shows a security issue because of inheritance of bad security practices of desktop operating systems. Since applications don't need /proc (especially if they're supposed to always go through the framework, for security reasons), they shouldn't be given access. #2 shows a glaring design bug in Android backgrounding system. The fact that a service can pop up an activity in front of an user while they are doing something else, is not only a UX mistake, but a clear security issue. #3 seems like "just a bug", but the idea that any background service (with any permission level) could be taking pictures in background on any Android device is terrifying. |