It’s been a rough month for Android security. The latest is an issue found in Google’s Android Admin application that allows other applications on the device to bypass sandbox restrictions.
That means that those other applications can read arbitrary files through the use of symbolic links.
According to MWR Labs, the issue occurs when the Google Admin application receives a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a WebView within its own activity. If an attacker used a file:// URL to redirect to a file that they controlled, then it is possible to use symbolic links to bypass the Same Origin Policy and retrieve data out of the Google Admin sandbox.
The issue arises from the fact that the Google Admin application has an exported activity that accepts an extra string called setup_url. This can be triggered by any application on the device, creating a new intent with string set to a file URL that an attacker can write to. The ResetPinActivity will then load this in the WebView under the privileges of the Google Admin application.
The attacker can add HTML in to the world readable file, which includes an iFrame that will load the world readable file again within the frame after a 1-second delay. The Google Admin application loads this file and renders it into its WebView.
Next, the attacker deletes the world readable file and replaces it with a symbolic link of the same name that points to a file in the Google Admin sandbox.
After one second, the iFrame in the WebView will load the file, which will now point to one of its own files. Because the parent and child frames have the same URL, the Same Origin Policy allows the parent frame to query the contents of the child frame. This means that the HTML that the attacker controls can read from the files loaded into the iFrame and extract their data.
No update has been released yet, researchers said, but they recommended that devices with Google Admin installed should not download any untrusted third-party applications.