Major Android Security Flaw may be Shared in iOS, WindowsCategory: Science & Technology
Posted: August 21, 2014 12:57PM
As we use our mobile devices more and more, the importance of securing them becomes greater and greater. Researchers at the University of California, Riverside have recently discovered a security flaw in the Android OS with almost a perfect success rate, and almost all popular operating systems may share the vulnerability.
The vulnerability has to do with the shared-memory side channel, which contains shared memory statistics about processes and can be accessed without permissions. From this information, it is possible to infer what an app is doing, such as logging in or receiving information for a purchase. On its own, this vulnerability is not serious, but the researchers found it could be used to time an attack that exploits a feature of many modern GUIs, which is why more than just Android may be at risk. The feature is to allow the screen to be preempted, such as to show an alarm. In this case though, what comes up is a false version of the expected window. By timing the attack with the shared memory data, the user will fail to notice the switch.
The researchers tested the attack on seven apps and here are their success rates (higher is worse): Gmail at 92%, H&R Block at 92%, Newegg at 86%, WebMD at 85%, CHASE Bank at 83%, Hotels.com at 83%, and Amazon at 48% success rate. The reason Amazon has the lower success rate is because it is harder to infer the state of the app, as it can transition between almost any activity.