Malicious hackers could exploit flaws in Android for Work to nab sensitive data

android 23 gingerbread deprecated for work
wutlufaipy/123RF
One of the pillars of Google’s enterprise-focused “work features in Android platform,” previously called Android for Work, is security. But a newly discovered exploit demonstrated at the RSA conference in San Francisco on February 16 showed how an attacker could view, steal, and even manipulate content on a corporate Android smartphone without tipping off IT administrators.

The flaw, discovered by Yair Amit, chief technology officer of cybersecurity firm Skycure, has to do with the way Android for Work handles “sandboxes,” or protects user profiles. The service operates on the idea of a “work” profile with business-level controls, enterprise applications, corporate email, and secure documents on a smartphone or tablet. This secure profile effectively acts as a separate user, though it shares icon badges and notifications with the personal profile.

This concept of sandboxing — creating a secure container where apps outside the work profile can’t access data inside it — is key to Android for Work’s conceit. But it isn’t bulletproof.

One potential line of attack involves Android’s notifications framework. Incoming Android for Work messages are designated with a red briefcase icon in Android’s notifications window, giving the impression that they remain segregated from those in the personal profile.

But notifications on Android are a device-level permission, meaning apps in the personal profile can potentially manipulate the content of notifications from the work profile. Malicious software could view sensitive incoming work emails, calendar appointments, file attachments, and other messages, for example, and could transmit that information to a remote server.

The second line of attack exploits a flaw in Android’s Accessibility Service, the Android component that provides usability enhancements for impaired users. It necessarily has access to virtually all of Android’s content and controls, making apps that acquire permission to use it particularly dangerous — and difficult to detect. For instance, an app could use Android’s Draw Over Apps feature, which allows apps to lay text and graphics on top of other apps, to trick a user into activity Accessibility Service or Notifications without their knowledge.

That’s not to suggest the attacks can’t be mitigated. Android 6.0 Marshmallow requires users to manually allow apps to create system overlays by changing permissions in the settings menu. And the Notifications attack requires a user to grant extraordinary permissions to an installed app. Still, Amit notes the relative ease of circumventing Android for Work’s sandboxing method by exploiting the “illusion” of security.

“The interesting thing about both of these […] methods of defeating the Android for Work profile separation is that the device and the Android operating system remain operating exactly as designed and intended,” Amit said.

“It is the user who must be tricked into placing the software on the device and activating the appropriate services that allow the malware access to sensitive information. [The] illusion of a secure container […] tends to allow people to let their guard down in the belief that the environment itself is a sufficient security mechanism to protect data.”

Product Review

Razer Phone 2 fixes everything wrong with the original

The Razer Phone had a great screen, strong speakers, powerful performance, but a mediocre camera, no water resistance, and a high price. With the Razer Phone 2, Razer has improved on the predecessor in every way.
Photography

Adobe Premiere Rush CC is the cloud-based video editing app you've been waiting for

On stage at Adobe MAX 2018, Adobe announced its cloud-centric, social video-editing application, Adobe Premiere Rush CC. We took some time to put it through its paces to see what it offers, how it works, and what's missing.
Mobile

Here’s our guide on how to get ‘Fortnite’ on your Android device

'Fortnite: Battle Royale' is one of the biggest games in the world right now, and it's finally on Android, even if getting set up is a bit long-winded. Here's how to play 'Fortnite: Battle Royale' on an Android device.
Computing

Was your Facebook account hacked in the latest breach? Here’s how to find out

Facebook now reports that its latest data breach affected only 30 million users, down from an initial estimate of 50 million accounts. You can also find out if hackers had accessed your account by visiting a dedicated portal.
Mobile

Inferiority is a feature now! Palm's new plan is psychotic

The Palm is a smartphone to reduce your smartphone usage, or a small smartphone for when you don't want to carry your big smartphone. Palm itself doesn't seem sure which it is, but either way, it's a product that's so witless, we're amazed…
Mobile

Huawei and Leica’s monochrome lens is dead, so we celebrate its life

The Huawei Mate 20 and Mate 20 Pro do not have a dedicated monochrome camera lens, unlike the P20 Pro, and various Huawei and Leica phones before it. It's the end of an era, and also the start of a new one, as Leica has worked on its…
Deals

Verizon’s buy one, get one offer is the best deal on the new Google Pixel 3

If you need a new smartphone and want the best (without shelling out a grand or more), the new Google Pixel 3 and Pixel 3 XL are fantastic options. Verizon's BOGO offer is the best way to score a deal, letting you snag a free phone and save…
Mobile

Huawei Mate 20 Pro vs. Samsung Galaxy Note 9: Flagship fight

When it comes to stunning flagships, Samsung and Huawei are often the first names the come to mind. And the new Huawei Mate 20 Pro is no exception. So how does it compare to the Samsung Galaxy Note 9? We put the two to the test to find out.
Mobile

Here’s how Google’s Call Screening A.I. works, and how to use it

Google's Pixel 3 and 3 XL smartphones can take excellent photos, but there are a few artificial intelligence features that steal the show. Call Screening uses Google Assistant to answer the phone for spam calls.
Mobile

Key settings you need to change on your Sony Xperia XZ3

The first thing you need to do when you buy a new phone is dig into the settings and customize it to your liking. We’ve got step-by-step instructions for tweaking key settings on your Sony Xperia XZ3 right here.
Computing

Is the Pixelbook 2 still happening? Here's everything we know so far

What will the Pixelbook 2 be like? Has the Pixel Slate taken its place? Google hasn't announced it, but thanks to rumors and leaks, we think we have a pretty good idea of what the potential new flagship Chromebook will be like.
Mobile

These are the best LG V40 ThinQ cases to stop unsightly damage

The LG V40 ThinQ is the latest entry in LG's long line of great V series phones, but it's not invincible. The best way to protect it from potential damage is with one of the best LG V40 ThinQ cases.
Mobile

With Spotify for WearOS, you no longer need your phone to stream music

A Spotify app will soon be available for download on Wear OS smartwatches. Whether you're working out or lounging at home, you'll soon be able to access and control your music straight from your wrist.
Mobile

The best Xperia XZ3 cases to keep your new Sony phone shiny

The Xperia XZ3 is a great phone with powerful hardware, a capable camera, and a lovely glass design. But glass is fragile, and can be broken. Here are some of the best Xperia XZ3 cases to prevent that.