However, Android apps often handle external storage poorly, leaving users vulnerable to exploits according to new research by Check Point. These exploits are being labeled as “man-in-the-disk” attacks, which could lead to the installation of malicious apps, the injection of harmful code, and denial of service attacks against other legitimately-installed apps.
The main issue, according to Check Point, is that Google affords a device's internal storage protection from outside attacks thanks to the Android Sandbox. However, external storage (i.e. microSD cards) does not have this luxury, and data stored there is accessible by all applications.
Apps that rely heavily on external storage can leave users open to malicious attacks due to the unprotected nature of this medium. According to Check Point, a user could be persuaded to download a rather innocuous-looking app that would ask for access to external storage. This is a request that is often asked by an app that might need additional storage overhead, and wouldn't normally be considered out of the ordinary. However, this is where the trouble rears its ugly head.
"From that point on, the attacker is able to monitor data transferred between any other app on the user’s device and the External Storage, and overwrite it with his own data in a timely manner, leading to the unwelcome behavior of the attacked application," write the researchers. "In this way, the attacker has his ‘Man-in-the-Disk’ looking out for ways in which he can intercept traffic and information required by the user’s other existing apps, and offer a carefully crafted derivative of the data that would lead to harmful results."
The research team was able to compromise a number of apps -- including those made by Google -- with this external storage exploit. Some of the apps that were vulnerable included Google Voice Typing, Google Translate, and Google Text-to-Speech. Check Point was able to repeatedly crash these apps, while it was able to use code injection on the Xiaomi Browser app to install an unauthorized piece of software.
On the plus side, the researchers reached out to both Google and Xiaomi about the exploits, and they promptly updated their software to perform input validation from external storage, refrain from storing executables in external storage, and require files in external storage to be signed and cryptographically verified. In fact, these are Google's own external storage guidelines for Android that even it apparently wasn't following for its first-party apps.
While these above apps were patched quickly, it leaves us to wonder about the thousands of other apps that are available on the Play Store that have access to internal storage. If Google can be relatively careless with regards to following its own storage guidelines, that doesn't bode well for developers that might not put such a high priority on security.