A flaw in Android external storage opens up legitimate apps to being hacked and gives illegitimate ones a window to exploit. Learn more about man-in-the-disk attacks, including how to avoid them.

Google’s Android mobile operating system has had its share of security flaws uncovered over the years. When covering tech, it can feel like every corner you turn hides a new flaw in Android’s design that puts users and developers at risk for innovative cyberattacks.

Cue a recent discovery by researchers at the software research firm Check Point: An attack they dubbed « man-in-the-disk » (MITD) attacks, which exploit a weakness in Android’s handling of external storage to inject malicious code. The exploit allowing MITD attacks has serious repercussions for Android users because it exists at a level that’s integral to Android’s design.

If man-in-the-disk sounds similar to man-in-the-middle (MITM) attacks, it’s because there are many ways in which the attacks are similar. Both involve intercepting and often modifying data for nefarious purposes—it’s simply the scale that distinguishes between the two attacks.

Check Point’s researchers found a number of apps—including some from major distributors such as Google—that were vulnerable to MITD attacks. Researchers also managed to build their own apps that took advantage of the exploit.

MITD attacks have the potential to do serious damage to not only Android devices but also to the reputation of developers who build apps for them. Whether you own an Android handset or develop for the platform, you should read on to learn more about this nasty new discovery.

What is a man-in-the-disk attack?

The first thing you might think of when hearing man-in-the-disk attack is that it sounds a lot like man-in-the-middle attack, and with good reason—a MITD is essentially another form of MITM.

A MITM attack involves intercepting and often but not always altering traffic between two endpoints, and a MITD attack is doing that on a smaller scale. A MITD attack is intercepting and potentially altering data as it moves between Android’s external storage and an installed app.

Understanding what that means requires knowing how internal and external storage on Android devices function.

Internal storage is what’s privately given to each app, and other apps aren’t able to access it. Internal storage is also sandboxed, which means it is isolated from other applications and Android processes—it can’t affect, or be affected by, other apps or the Android OS.

External storage is shared by all the applications installed on an Android device; it’s where downloads go, photos are stored, and other media and files are placed if it isn’t specific to one particular application. Keep in mind that external doesn’t necessarily mean removable—external storage can be a separate partition on an Android device’s internal memory.

The most important thing to know about external storage as it pertains to MITD attacks is that apps are free to use it for storing data that isn’t shared with other applications. Internal storage is often limited, and data-heavy apps often turn to external storage to stash additional files, pre-load updates, make themselves appear smaller, or allow for backwards compatibility.

It’s common, almost standard, for Android apps to request access to external storage, and that’s where the problem comes in.

As reported by Check Point, a malicious app is fully capable of exploiting external storage to read app data and modify what’s being sent to an app from external storage. The malicious app can use that exploit to steal personal data, install other malicious applications in internal storage, kill legitimate apps by breaking their code, and inject code to elevate its own permissions on the device.

The process, as explained by Check Point, is detailed in these two graphics, which represent malicious app installation and app crashing, respectively.

Additional resources:

Why are man-in-the-disk attacks so dangerous?

The threat posed by MITD attacks is huge, mainly because of how it attacks Android devices: By gaining access to external storage. Most Android apps that do anything outside of their own sandboxed internal storage space—and that’s a lot of apps—request access to external storage.

As Check Point states in its research, external storage access is a typical thing for a new app to request, so it doesn’t raise suspicion in the way some other app permission requests do. Once a user taps Allow, a malicious app is free to monitor and modify the contents of public storage and even install other malicious apps without the user ever knowing.

Like most Android malware, MITD attacks require users to give them permission to act—no matter how well most Android viruses and attacks are coded and obfuscated, they still need permission to do anything outside of their sandbox environments.

Users commonly ignore the permissions apps ask for even when they’re suspect, so a common request like external storage access is likely to go unnoticed, even among experienced, cautious Android users.

Additional resources

Who is affected by man-in-the-disk attacks?

MITD attacks are only dangerous to a certain subset of the tech-using world: Android developers and users.

This particular exploit might look or seem similar to the much more common man-in-the-middle attack, but it’s an execution that is specific to Android’s handling of external storage. Simply put, if you don’t have an Android device, don’t build applications for Android devices, or manage company-owned or BYOD Android devices you don’t need to worry about MITD attacks.

This is not to say there aren’t or won’t be similar exploits for other platforms—malware that exploits permissions to gain access to areas of an OS that are otherwise off-limits aren’t rare. Those other potential attacks aren’t MITD attacks, though.

How can developers protect their apps from man-in-the-disk attacks?

External storage, and its lack of security, is a fundamental part of Android’s structure. Given that, it’s unlikely Google will ever redesign Android to completely eliminate the threat from MITD attacks.

So, it’s essential for developers to be sure their apps use external storage in a secure way to prevent data harvesting, app corruption, and sideloading of malware.

The best practices section of Google’s app development guide includes a number of app security tips, much of which can be applied to avoiding MITD attacks.

In regards to the use of external storage, Google says:

  • Files created on external storage, such as SD cards, are globally readable and writable. Because external storage can be removed by the user and also modified by any application, don’t store sensitive information in external storage.
  • Perform input validation when handling data from external storage as you would with data from any untrusted source.
  • Never store executables or class files on external storage prior to loading.
  • If executables must be retrieved from external storage, they should be signed and cryptographically verified prior to dynamic loading.

Good practices for protecting data in internal storage are also provided:

  • Avoid the MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE modes for interprocess communication files because they do not provide the ability to limit data access to particular applications, nor do they provide any control of data format.
  • You can encrypt local files using a key that is not directly accessible to the application. For example, you can place a key in a KeyStore and protect it with a user password that is not stored on the device.
  • Use a content provider to give cross-app internal storage read/write permissions dynamically and on a case-by-case basis.

Check Point notes that many MITD vulnerabilities can be chalked up to lazy programming. Instead of developers working harder to build secure apps, they’re simply dumping sensitive data in external storage and/or allowing unverified data to be loaded into their apps.

Google may not say as much in their security tips, but writing a few extra lines of code can make a huge difference for the security of your users, the trustworthiness of your app, and your reputation as a developer.

Since it’s unlikely Google will redesign Android to fix the issue it’s up to you to pick up the slack.

How can users protect their devices from man-in-the-disk attacks?

Make no mistake, Android users: Your security is greatly at risk from poorly-built apps that can be manipulated by MITD attacks launched from malicious downloads.

According to Check Point, « Once crashed and with the app’s defenses down, the attacker could then potentially carry out a code injection to hijack the permissions granted to the attacked application and escalate his own privileges in order to access other parts of the user’s device, such as the camera, the microphone, contacts list and so forth. »

With so much at risk, it’s not enough to rely on app developers—even those as big as Google, Yandex, and Xiaomi (all of whom make apps vulnerable to MITD attacks)—to protect you.

Android users should take all of these steps to protect themselves—keeping a mobile device secure requires total protection.

  • Install an antimalware app on your phone to keep an eye out for malicious apps, and keep that app up to date.
  • Never load applications from sources other than the official Google Play store. While malware has been, and continues to be, found on the Google Play store, third-party app stores lack the protection Google puts in place, and it’s far more likely you’ll download a malicious app from them.
  • Read app reviews to see what other people are saying—poor reviews, a lack of substantial reviews, or repeat reviews that say the same or similar things should all raise red flags.
  • Investigate app permissions, which you can do on an app’s Google Play store page by tapping Read More under the app’s description, scrolling down, and finding App Permissions. If anything seems out of the ordinary (a flashlight app asking for external storage access, for example), don’t install it—look for another app instead.

Developers are the front line in protecting your device, but you’re not off the hook. By taking the proper precautions to keep yourself safe, you shouldn’t ever have to worry about a serious infection on your Android device.