The researchers monitor changes in shared memory and are able to correlate changes to what they call an "activity transition event," which includes such things as a user logging into Gmail or H&R Block or a user taking a picture of a check so it can be deposited online, without going to a physical CHASE Bank. (Shared memory is a common operating system feature to efficiently allow processes share data.) Once that app is installed, the researchers are able to exploit a newly discovered public side channel-the shared memory statistics of a process, which can be accessed without any privileges. The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user." "The assumption has always been that these apps can't interfere with each other easily," Qian said. Once a user downloads a bunch of apps to his or her smart phone they are all running on the same shared infrastructure, or operating system. The researchers started working on the method because they believed there was a security risk with so many apps being created by some many developers. However, they haven't tested the program using the other systems. The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. Morley Mao, an associate professor at the University of Michigan and Qi Alfred Chen, a Ph.D. Authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside Z. 22 at the 23rd USENIX Security Symposium in San Diego. The paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks," will be presented Friday, Aug. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |