Android apps that make careless use of external storage (such as SD cards) could leave your phone vulnerable to hackers.
Your phone's internal storage is carefully managed – each app uses it separately, and it's protected by the Android sandbox. External storage, like SD cards, is different. It allows data to be shared between apps and doesn't have the same protection.
Researchers from Check Point Security discovered that apps that use external storage without proper security precautions leave devices vulnerable to 'Man-in-the-Disk' attacks. These could allow a hacker to install malware, prevent legitimate apps from running, and even make apps crash.
A developer might use external storage to make it look as though their app uses less space than it actually does, to make it compatible with older devices, or to provide extra space when the phone's internal storage isn't enough.
Google provides some basic guidelines for developers who decide to do this:
- Perform input validation when handling data from external storage
- Do not store executables or class files on external storage
- External storage files should be signed and cryptographically verified prior to dynamic loading
However, Check Point found several apps in the Google Play Store that ignored these rules, including two of Google's own tools: Google Translate and Google Voice Typing. Neither of these apps validated the integrity of data from external storage, and the researchers were able to exploit that vulnerability to make them crash.
They also discovered that Xiaomi Browser used external storage to store app updates. By replacing the update code, they were able to cause a different app to be installed without permission. Check Point contacted Google, which released a fix shortly after, but XIaomi chose not to act.
"From experience then, it would seem that mere guidelines are not enough for OS vendors to exonerate themselves of all responsibility for what is designed by app developers," Check Point said. "Instead, securing the underlying OS is the only long-term solution to protecting against this new attack surface uncovered by our research."