A pair of newly uncovered Android vulnerabilities allow maliciously crafted personal apps to silently view, steal and even manipulate content that should be safely locked in the Work profile of Android.
Google’s work features in Android were developed to address the massive demand for using personal devices in the business environment. The basic idea is to create a separate profile on the device which has business-level controls, while leaving the original, personal profile open and unmanaged.
The Android mechanism of user separation relies on an additional sandbox or secure container, where apps outside the sandbox cannot access data inside the sandbox,” explained Yair Amit, CTO and co-founder, Skycure, in a blog. “In other words, no application installed within the device’s personal profile should have any kind of access to the activity or content in the work profile.”
However, Skycure found that two ‘app-in-the-middle’ attacks could get around this.
The first issue is that work persona notifications are presented alongside personal notifications in the same, seamless interface. Since Notifications access is a device-level permission, a malicious app in the personal profile can acquire permission to view and take actions on all notifications, including work notifications, by design.
Sensitive information, such as calendar meetings, email messages and other information appears in these notifications, which are also visible to the “personal” malicious app. If the malicious app is designed to transmit the information viewed in notifications to a command and control server, then the information contained in notifications is no longer secure.
Worse, “a clever hacker may be able to use this method to gain even greater access into sensitive work information by initiating a forgot[ten] password process on some enterprise system and hijacking the subsequent on-device notification to grant himself full enterprise access, even outside of the context of the mobile device,” said Amit. “To keep this attack covert, the malicious app can immediately dismiss the notification and ‘archive’ the recovery email using the Android Notifications API so the victim is completely unaware they have been hacked….The attacker may even capture two-factor authentication and administrators will not have any visibility of the theft.”
As for the second vulnerability, it exists in the Accessibility Service, which provides user interface enhancements to help users interact with their device. This includes features like audible narration of on-screen text for visually impaired users. In order to facilitate these features, the Accessibility Service necessarily has access to virtually all content and controls, both reading and writing, on the device. An application in the personal profile that acquires Accessibility permissions can gain access to applications that are executed in the business persona, effectively circumventing the secure separation.
“This app-in-the-middle resides in the personal profile, yet is effective in stealing corporate information as the user interacts with it,” Amit said. “The personal profile cannot be monitored or controlled from the work profile, so even if IT administrators try to enforce security on the work profile (e.g., by restricting the profile settings or allowing only whitelisted apps) it won’t be possible to detect any exposure of sensitive information that uses the Accessibility Service, as they cannot access the personal profile. In order to perform such an attack, a malicious application would register as an Accessibility Service, present it with an innocent label, and manipulate the user to grant the access.”
The Android team says that both of these are “intended behaviors”—which means that no patch will be forthcoming.
“As that behavior poses an unexpected and clear threat to corporate data of organizations that utilize Android for Work, we have mutually agreed to disclose the findings with the public, to raise awareness to the exposure,” Amit said.