One of the pillars of Google’s enterprise-focused “work features in Android platform,” previously called Android for Work, is security. But a newly discovered exploit demonstrated at the RSA conference in San Francisco on February 16 showed how an attacker could view, steal, and even manipulate content on a corporate Android smartphone without tipping off IT administrators.
The flaw, discovered by Yair Amit, chief technology officer of cybersecurity firm Skycure, has to do with the way Android for Work handles “sandboxes,” or protects user profiles. The service operates on the idea of a “work” profile with business-level controls, enterprise applications, corporate email, and secure documents on a smartphone or tablet. This secure profile effectively acts as a separate user, though it shares icon badges and notifications with the personal profile.
This concept of sandboxing — creating a secure container where apps outside the work profile can’t access data inside it — is key to Android for Work’s conceit. But it isn’t bulletproof.
One potential line of attack involves Android’s notifications framework. Incoming
But notifications on Android are a device-level permission, meaning apps in the personal profile can potentially manipulate the content of notifications from the work profile. Malicious software could view sensitive incoming work emails, calendar appointments, file attachments, and other messages, for example, and could transmit that information to a remote server.
The second line of attack exploits a flaw in Android’s Accessibility Service, the
That’s not to suggest the attacks can’t be mitigated. Android 6.0 Marshmallow requires users to manually allow apps to create system overlays by changing permissions in the settings menu. And the Notifications attack requires a user to grant extraordinary permissions to an installed app. Still, Amit notes the relative ease of circumventing
“The interesting thing about both of these […] methods of defeating the Android for Work profile separation is that the device and the
“It is the user who must be tricked into placing the software on the device and activating the appropriate services that allow the malware access to sensitive information. [The] illusion of a secure container […] tends to allow people to let their guard down in the belief that the environment itself is a sufficient security mechanism to protect data.”
- A flaw in MediaTek audio chips could have exposed Android users’ conversations
- There’s a major Android bluetooth security flaw. Here’s how to fix it
- Google says hackers have been able to access your iPhone data for years