Major weakness discovered in in Android, Windows, and iOS

[Reefa]

Researchers have identified a weakness believed to exist in Android, Windows, and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone. The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested.

Researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows, and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank, and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested

A UCR release reports that the paper was presented Friday, 22 August, at the 23rd USENIX Security Symposium in San Diego. Authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department atUC Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.

The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. However, they haven’t tested the program using the other systems.

The researchers started working on the method because they believed there was a security risk with so many apps being created by some many developers. Once a user downloads a bunch of apps to his or her smart phone they are all running on the same shared infrastructure, or operating system.

“The assumption has always been that these apps can’t interfere with each other easily,” Qian said. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”

The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone. Once that app is installed, the researchers are able to exploit a newly discovered public side channel — the shared memory statistics of a process, which can be accessed without any privileges (shared memory is a common operating system feature to efficiently allow processes share data).

The researchers monitor changes in shared memory and are able to correlate changes to what they call an “activity transition event,” which includes such things as a user logging into Gmail or H&R Block or a user taking a picture of a check so it can be deposited online, without going to a physical CHASE Bank. Augmented with a few other side channels, the authors show that it is possible to fairly accurately track in real time which activity a victim app is in.

There are two keys to the attack. One, the attack needs to take place at the exact moment the user is logging into the app or taking the picture. Two, the attack needs to be done in an inconspicuous way. The researchers did this by carefully calculating the attack timing.

“By design, Android allows apps to be preempted or hijacked,” Qian said. “But the thing is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique.”

The researchers created three short videos that show how the attacks work.

Here is a list of the seven apps the researchers attempted to attack and their success rates: Gmail (92 percent), H&R Block (92 percent), Newegg (86 percent), WebMD (85 percent), CHASE Bank (83 percent), Hotels.com (83 percent), and Amazon (48 percent).

Amazon was more difficult to attack because its app allows one activity to transition to almost any other activity, increasing the difficulty of guessing which activity it is currently in.

Asked what a smart phone user can do about this situation, Qian said, “Don’t install untrusted apps.” On the operating system design, a more careful tradeoff between security and functionality needs to be made in the future, he said. For example, side channels need to be eliminated or more explicitly regulated.

— Read more in “Peeking into Your App without Actually Seeing It: UIState Inference and Novel Android Attacks” (the paper will appear inProceedings of the 23rd USENIX Security Symposium, San Diego, California, August 2014)

Source

[stylemessiah]

Okay so let me shorten this for you and debunk the premise in less than 25 words:

The attack works by getting a user to download a seemingly benign, but actually malicious, app

So how is this new?

The user has a weakness, not the fricking OS

Its a usual bunch of "researchers" trying to make something out of nothing, or in other words, blame the OS for the stupidity of the end user.

If this were the definition of an "exploit", you could find a trillion of them using the end user stupidity scenario as a template

Next....

[calguyhunk]

On the operating system design, a more careful tradeoff between security and functionality needs to be made in the future, he said. For example, side channels need to be eliminated or more explicitly regulated.

NO! NO! NO! You don't start clamping down on power users just because the idiots don't know any better. That way, what's the difference between the relatively free Android and the walled garden of the iOS? If we wanted a stifling, clamped down system, we'd all be buying iPhones anyways! The Android appeal lies in it's openness, dammit! :angry:

We already don't have root access by default even on Nexus devices, and as if that wasn't bad enough, some self proclaimed "security researchers" now think it's better to restrict the power user community even further by taking away side-loading so that they can mollycoddle all the dumba$$es? And they still complain that people are getting dumber? I wonder why? :wtf:

Nanny state, nanny OS, nanny everything ain't gonna make anybody any smarter. As long as you don't let people learn from past mistakes, they'll never learn. Let people make mistakes and they'll be better off precisely because of it. :yes:

[stylemessiah]

On the operating system design, a more careful tradeoff between security and functionality needs to be made in the future, he said. For example, side channels need to be eliminated or more explicitly regulated.

NO! NO! NO! You don't start clamping down on power users just because the idiots don't know any better. That way, what's the difference between the relatively free Android and the walled garden of the iOS? If we wanted a stifling, clamped down system, we'd all be buying iPhones anyways! The Android appeal lies in it's openness, dammit! :angry:

We already don't have root access by default even on Nexus devices, and as if that wasn't bad enough, some self proclaimed "security researchers" now think it's better to restrict the power user community even further by taking away side-loading so that they can mollycoddle all the dumba$$es? And they still complain that people are getting dumber? I wonder why? :wtf:

Nanny state, nanny OS, nanny everything ain't gonna make anybody any smarter. As long as you don't let people learn from past mistakes, they'll never learn. Let people make mistakes and they'll be better off precisely because of it. :yes:

Like i often say on here, society is doomed

The topic should read "Major Weakness Discovered In Humans", its factually more correct

Theyre far too lazy, too stupid and willing to look to nanny for help and spoonfeeding

And youre right, the way things are going the stupid and the smart alike will be treated as one, under what i call the Apple philosophy, one ecosystem for all, where they control every facet of the gadget (ultimately humans), the hardware (our bodies), the OS (our minds) and what you can do with them...no freedom at all.

Dont even get me started on the nutters that every day give away their freedom using "social media"......theyll be the first (and easily) rounded up if the shit hits ever the fan.....still, they'll make nice soylent green for the rest of us who arent as thick as shit.

Avoid becoming soylent green ...stop using FaceWank and TwitFace today :)

[calguyhunk]

*************************************************************************

The topic should read "Major Weakness Discovered In Humans", its factually more correct

*************************************************************************

Theyre far too lazy, too stupid and willing to look to nanny for help and spoonfeeding

And youre right, the way things are going the stupid and the smart alike will be treated as one, under what i call the Apple philosophy, one ecosystem for all, where they control every facet of the gadget (ultimately humans), the hardware (our bodies), the OS (our minds) and what you can do with them...no freedom at all.

Dont even get me started on the nutters that every day give away their freedom using "social media"......theyll be the first (and easily) rounded up if the shit hits ever the fan.....still, they'll make nice soylent green for the rest of us who arent as thick as shit.

*************************************************************************

I think we were related in another life, man! If I didn't know better, I'd think your account is a duplicate one of mine LOL! :tehe:

I'm no tin foil hat wearing, Infowars worshiping, paranoid nutter myself - in fact exactly the opposite, but I am a pragmatic real world inhabitant with just the right amount of cynicism that's required to make it through everyday life without being taken for a ride. ;)

Ironically, all this makes you remember that iconic Apple Mackintosh commercial from the 1984 Super Bowl where they exhort you to "think different". Oh man, the irony of it all. :nono:

[stylemessiah]

*************************************************************************

The topic should read "Major Weakness Discovered In Humans", its factually more correct

*************************************************************************

Theyre far too lazy, too stupid and willing to look to nanny for help and spoonfeeding

And youre right, the way things are going the stupid and the smart alike will be treated as one, under what i call the Apple philosophy, one ecosystem for all, where they control every facet of the gadget (ultimately humans), the hardware (our bodies), the OS (our minds) and what you can do with them...no freedom at all.

Dont even get me started on the nutters that every day give away their freedom using "social media"......theyll be the first (and easily) rounded up if the shit hits ever the fan.....still, they'll make nice soylent green for the rest of us who arent as thick as shit.

*************************************************************************

I think we were related in another life, man! If I didn't know better, I'd think your account is a duplicate one of mine LOL! :tehe:

I'm no tin foil hat wearing, Infowars worshiping, paranoid nutter myself - in fact exactly the opposite, but I am a pragmatic real world inhabitant with just the right amount of cynicism that's required to make it through everyday life without being taken for a ride. ;)

Ironically, all this makes you remember that iconic Apple Mackintosh commercial from the 1984 Super Bowl where they exhort you to "think different". Oh man, the irony of it all. :nono:

Hehehe we have to stop it before it becomes a bromance :)

I may not have mentioned it before on here, but i have aspergers, so to me the world is very black and white, i have a very analytical mind and no time for bs, infowars and paranoid theories or fools. My mind sees in terms of wrong and right (not far right).

Nice mention of the Mac "Think Different" campaign...if only then the Apple cultists knew what Jobs meant was actually to prepare to become part of a hive mind...oh wait, they still would have signed up to be a member of the skivvy brigade.....sadly that mindset has jumped over into ordinary everyday life and people are now mindless drones walking around attached to their devices and social media, like lab rats hitting a button for a pellet....from their imaginary friends or "followers" <- cultish, i think so.

You know where im going with this...Society Is Doomed.

[darko999]

I find it quite difficult to infect your computer If you use your brain a bit. Of course, there are exceptions, and there is where a good AV could be used as a backup.

[The Owl]

As someone that fixes Computers for the last 25 + years I find most of the problems with all OS's is usually situated behind the Keyboard

[stylemessiah]

As someone that fixes Computers for the last 25 + years I find most of the problems with all OS's is usually situated behind the Keyboard

Exactly

There should be a PC, and an Internet license test.

The worst day in internet history was when they let just anyone on it, before that there was an exceptionally good chance the person you were talking to (usually uni researchers etc) actually had a fricking brain. now its ruined by common folk. Lolcats are fine, im a cat person :), but the rest of the internet is a vast wasteland of banality and superficial shiny stuff, oh and assclowns on social media

[The Owl]

IMHO the biggest waste of space on the internet is facecrap

[Reefa]

Agreed with all comments..But having said that this sort of information (i would hope) helps newer users who are not aware of these sort of thing's..Hence why i post them..Peace.. :rasta:

[calguyhunk]

Agreed with all comments..But having said that this sort of information (i would hope) helps newer users who are not aware of these sort of thing's..Hence why i post them..Peace.. :rasta:

Fo' shizzle ma nizzle, Ali G :lmao: