Researchers from the University of California Riverside Bournes College of Engineering and the University of Michigan have exposed a weakness that they feel may exist in Android, iOS and Windows operating systems that could enable malevolent applications to snag personal information. There’s one ability that all apps share that poses the biggest threat to smart phone security-that is, the ability to access a phone’s shared memory.
UC Riverside associate professor Zhiyun Qian said, in a CNET interview, “The assumption has always been that these apps can’t interfere with each other easily. We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”
Researchers demonstrated the vulnerability of attacks to apps on an Android phone. An apparently harmless app, like wallpaper, can be the starting point for stealing vital information. The researchers showed they could then access shared memory statistics and connect changes in the stats to numerous activities, from checking email to taking a picture of a check to deposit it through Chase Bank. Gmail, H&R Block and Chase Bank proved to be the most vulnerable to attacks; researchers logged an attack success rate between 82% and 92%.
Two things must happen for a successful attack. The attack must happen at the exact moment that an action is taking place, such as logging in to a banking app. Next, the attack must happen without the user noticing it. Qian recommended Windows, iOS and Android users to avoid untrusted apps and to pay close attention to the permissions and information access that even trusted apps require.