Android messaging apps leaking data through 'surreptitious sharing'

Vulnerability in Unix-based file permissions exposed passwords, private keys and message histories when users share images and other files.

Flaw strikes at the soft underbelly of Android
Flaw strikes at the soft underbelly of Android

German researchers have found a serious flaw in the way many popular Android email and messaging apps – including Skype and even secure systems like Telegram and Signal – share documents, images and videos.

Dominik Schürmann and Lars Wolf from Braunschweig University of Technology say the bug, dubbed ‘Surreptitious Sharing', allows attackers to capture data including passwords, private keys and message histories.

They tested 12 popular email and messaging apps and found eight were exploitable. As a result, they said, the flaw is “definitely present in many more apps”.

The affected messaging apps are Skype, Threema, Telegram and Signal. The vulnerable email apps are Google's Gmail and AOSP Mail, K-9 Mail and WEB.DE.

Four messaging apps were found to be safe – WhatsApp, Hangouts, Facebook Messenger and Snapchat.

The bug lies in the main ‘Intent' file-sharing API that Android apps use. This allows an attacker to access the receiving app's private files. Worryingly, even privacy-focused messaging apps were “easily exploitable”, the researchers said.

Schürmann confirmed in a blog: “The vulnerability is present in many published communication apps, allowing privilege escalation and data leakage. In the worst case, this can possibly leak private keys stored by popular encrypted messaging apps, such as Threema, Telegram or Signal.”

The researchers proved the bug's impact through two attacks – setting up a fake bug report to capture email users' passwords as well as grabbing the messaging apps users' message histories via a fake music sharing button.

The bug-report trick worked on K-9 Mail and WEB.DE Mail. Schürmann and Wolf could also bypass the security checks in AOSP Mail and the pre-Android 6 version of Gmail, after their attack was initially blocked. Later Gmail versions were safe.

They also “easily executed” their exploit on Skype, captured Signal's database, grabbed both Threema's encrypted database and the key to unlock it and found Telegram was also vulnerable.

The researchers first alerted the apps vendors to the problem in late January and early February and all the affected apps tested have now been patched – except Skype. But Schürmann told SCMagazineUK.com via email: “After publishing the blog post, Microsoft [which owns Skype] just sent me an email stating that they are now working on the issue.”

In his blog, he said: “We like to acknowledge that the developers of K-9 Mail, WEB.DE Mail, Threema and Telegram answered very fast.” He and Wolf have also been awarded $1,337 (£940) bug bounty by Google and $1,000 (£700) by Telegram.

Schürmann confirmed: “It is important to note that we only informed developers of apps which have been explicitly evaluated in our paper. The issue is definitely present in many more apps besides the discussed ones.”

He told SC it is “difficult to estimate” how many more vulnerable apps are out there. “I haven't done any analysis of the whole Google Play market. The apps evaluated in the paper were chosen randomly based on my personal usage to demonstrate the issue.”

But to combat the threat, he advised: “Developers should use our backward compatible fix available at https://github.com/cketti/SafeContentResolver.”

Google has promised to roll out a fix for all Nexus devices in the next ‘N' version of the Android OS, due out later this year.

In the meantime, Schürmann told SC: “Users should generally be cautious which files/images or other content they share via email or instant messaging apps. They should verify that the content they shared from an app like Android's gallery is actually the content which has been sent inside the email or instant messaging app.”

Analysing Surreptitious Sharing, independent UK security expert Amar Singh, chair of ISACA's UK security advisory group and CEO of the Cyber Management Alliance and Give01Day.com, told SC via email: “It's good to see that the majority of the vendors who were made aware have patched their systems. Also good to see that Google is removing this from their next OS.

“The bad (or not so good) is that this research does not appear to be exposing a ‘brand new zero day' issue – so it's a bit discouraging to see that companies who are marketing their products with the specific message of privacy and security are vulnerable to such an important exploit. This kind of behaviour by these specific types of firms only adds to the overall distrust of consumers.”

In their full research paper, Schürmann and Wolf credit UK mobile security expert Rob Miller of MWR Labs who found a similar vulnerability, and Berlin-based security firm Cure53, which spotted the same flaw in the OpenPGP application OpenKeychain.

Schürmann and Wolf have built on this work, examining communication apps in general, and finding the broader problem.

They explained: “The central issue is that access control is handled via traditional Unix file system permissions. The main issue lies in the fact that apps can access their private data directories using Uniform Resource Identifiers (URIs). These URIs are normally used to access files on the SD card but they can also point to private files. For apps facilitating communication, like email or messaging apps, this leads to what we call Surreptitious Sharing.”  

Sign up to our newsletters