FotolEdhar - Fotolia
Skycure Ltd. researchers demonstrated a proof-of-concept attack that can bypass Android for Work enterprise mobility management's sandboxing tools, which are designed to securely separate a work profile and a personal profile on Android devices. How does the attack work, and what are the possible risks?
BYOD programs are part of today's business model, but they introduce a variety of security risks. A big challenge for those enforcing security policies is finding a way to separate personal and corporate applications and data installed on employee-owned devices without violating the owner's privacy.
Unlike mobile device management (MDM) software, which controls the entire device and all its contents, containerization technologies can balance the security needs of the enterprise with the demands of its users by segregating business and personal data. Corporate data is stored in containers, establishing a clear division between what is and is not subject to a corporate security policy.
Android for Work sandboxing tools were introduced in version 5.0 Lollipop, though now, Google brands it as part of the Android operating system. It creates a separate work profile with business-level controls on the device, while leaving the personal profile open, neither managed, nor monitored by enterprise administrators. These profiles isolate applications, the network and storage, so apps installed within the device's personal profile cannot access activity or content in the work profile.
Researchers from the mobile threat defense company Skycure discovered two flaws in the separation logic of Android for Work sandboxing tools that enable a malicious personal app to silently view, steal and manipulate content in the work profile.
By default, work profile notifications and app icons have a red briefcase on them so they can be distinguished from personal apps. However, notifications access is a device-level permission, and Skycure found that a malicious app in the personal profile can acquire permission to view and take action on all notifications, including work notifications.
By using social engineering to trick a user into granting a malicious app notifications access permission, an attacker can send any information contained in work notifications, such as video conference login details and email messages, to a command-and-control server.
This app-in-the-middle attack could also be used to covertly read password recovery emails by dismissing the notification and archiving the recovery email using the Android Notifications API. All the app would need, in addition to permission to read and send notifications, is permission to dismiss and act on notifications.
The second attack vector is a vulnerability in Android's accessibility service, which provides features like audible narration of onscreen text. The service has read and write access to virtually all content and controls on a device, so a malicious app installed in the personal profile that acquires accessibility permissions could gain access to apps and data in the work profile, again circumventing the secure separation that Android for Work sandboxing tools are meant to enforce. IT administrators can't detect if sensitive information is being stolen, as they don't have access to a user's personal profile.
Both attack techniques leverage social engineering to dupe users into installing malicious apps. Security awareness training should familiarize users with the typical tactics used by social engineers and should emphasize the importance of only installing apps created by well-established vendors from the Google Play Store. Users should also be encouraged to run the latest Android operating system, as Marshmallow (6.x) prevents abuse of the draw over apps feature that some hackers have used to trick users into granting permissions without their knowledge.
Learn about the Android for Work security improvements in Android Nougat
Find out how the Linux kernel memory features protect Android devices
Discover the differences between software containers and sandboxes
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading