Q
Problem solve Get help with specific problems with your technologies, process and projects.

Android sandboxing tools: How can work data separation be bypassed?

Android for Work's sandboxing tools, which split work and personal profiles, can be bypassed with a proof-of-concept attack. Expert Michael Cobb explains how the attack works.

Skycure Ltd. researchers demonstrated a proof-of-concept attack that can bypass Android for Work enterprise mobility...

management's sandboxing tools, which are designed to securely separate a work profile and a personal profile on Android devices. How does the attack work, and what are the possible risks?

BYOD programs are part of today's business model, but they introduce a variety of security risks. A big challenge for those enforcing security policies is finding a way to separate personal and corporate applications and data installed on employee-owned devices without violating the owner's privacy.

Unlike mobile device management (MDM) software, which controls the entire device and all its contents, containerization technologies can balance the security needs of the enterprise with the demands of its users by segregating business and personal data. Corporate data is stored in containers, establishing a clear division between what is and is not subject to a corporate security policy.

Containerization and sandboxing tools, such as Android for Work, Apple iOS Managed Apps and Samsung Knox, are often used as a complement to or even as a replacement for MDM controls.

Android for Work sandboxing tools were introduced in version 5.0 Lollipop, though now, Google brands it as part of the Android operating system. It creates a separate work profile with business-level controls on the device, while leaving the personal profile open, neither managed, nor monitored by enterprise administrators. These profiles isolate applications, the network and storage, so apps installed within the device's personal profile cannot access activity or content in the work profile.

Researchers from the mobile threat defense company Skycure discovered two flaws in the separation logic of Android for Work sandboxing tools that enable a malicious personal app to silently view, steal and manipulate content in the work profile.

By default, work profile notifications and app icons have a red briefcase on them so they can be distinguished from personal apps. However, notifications access is a device-level permission, and Skycure found that a malicious app in the personal profile can acquire permission to view and take action on all notifications, including work notifications.

By using social engineering to trick a user into granting a malicious app notifications access permission, an attacker can send any information contained in work notifications, such as video conference login details and email messages, to a command-and-control server.

This app-in-the-middle attack could also be used to covertly read password recovery emails by dismissing the notification and archiving the recovery email using the Android Notifications API. All the app would need, in addition to permission to read and send notifications, is permission to dismiss and act on notifications.

The second attack vector is a vulnerability in Android's accessibility service, which provides features like audible narration of onscreen text. The service has read and write access to virtually all content and controls on a device, so a malicious app installed in the personal profile that acquires accessibility permissions could gain access to apps and data in the work profile, again circumventing the secure separation that Android for Work sandboxing tools are meant to enforce. IT administrators can't detect if sensitive information is being stolen, as they don't have access to a user's personal profile.

Both attack techniques leverage social engineering to dupe users into installing malicious apps. Security awareness training should familiarize users with the typical tactics used by social engineers and should emphasize the importance of only installing apps created by well-established vendors from the Google Play Store. Users should also be encouraged to run the latest Android operating system, as Marshmallow (6.x) prevents abuse of the draw over apps feature that some hackers have used to trick users into granting permissions without their knowledge.

Next Steps

Learn about the Android for Work security improvements in Android Nougat

Find out how the Linux kernel memory features protect Android devices

Discover the differences between software containers and sandboxes

This was last published in July 2017

Dig Deeper on BYOD and mobile device security best practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise ensure the security of sandboxing features on BYOD devices?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close