14 DAY TRIAL // Belgian security researcher Arne Swinnen has helped Google fix a security issue in Android 7 that in the previous OS versions allowed attackers to infer enough data about the device and its apps to determine the device's real owner.
Swinnen, a known and prodigious contributor to Facebook's bug bounty programs, discovered a problem with the file and folder permissions system used to limit access to sensitive data stored inside app folders on Android devices.
The researcher says that an attacker (represented by a rogue app installed on the device) could use Android commands to change their app's currently working directory to another app's folder.
A problem with Android's permissions model
The default Android app permissions model would allow them to access the directory and execute a file, but not list the folder's contents to discover new files or read any of their content. In this scenario, the app would have to know the exact path of the accessed file.
This opens a few security holes. "However, what is remarkable is that existing files inside these directories can be listed and their meta-information gathered, when the filename is known," Swinnen explains.
One such scenario is the YouTube Android app, which uses a standard youtube.xml file in the /data/data/com.google.android.youtube/shared_prefs/ folder to store data processed inside the app in real time.
An attacker could repeatedly list this file and get its size and last modified date in return (because they have no read permissions). Since the YouTube app updates this file every few seconds when the app is in use, a rogue app could monitor this file and determine when the app or the device is in use.
Other apps have similar files, stored in other sections of their internal structure, so the attack could be ported to any other application.
Brute-forcing the Instagram app can reveal the phone owner's real name
Furthermore, for apps that use predictable file names, such as Instagram or Facebook, the rogue app could launch brute-force attacks to guess those files.
In Instagram's case, this file is /data/data/com.instagram.android/shared_prefs/.xml, while for Facebook, this is /data/data/com.facebook.katana/shared_prefs/XStorage-LATEST-.xml.
For Instagram, this user ID value is incremental and ranges between 0 and 2500000000. According to Swinnen, brute-forcing through all the Instagram IDs would take around four days on a Nexus 4 device.
The researcher even created a brute-forcing script that runs in the Android OS background, meaning the user doesn't have to keep the rogue app open all the time.
Once a match is identified for the correct user ID file in the correct app folder location, the attacker has the phone owner's Instagram ID, which in some cases may lead back to the user's real identity.
Swinnen reported the bug to Google last December, and the company fixed it with the release of Android 7. The researcher also received $500 for his work.