Shared library security flaw enables Android apps to access personal information without the right permissions using ‘Intra-library collusion’ flaw
Android smartphones are at risk from a new form of attack in which shared libraries can be exploited by malware to steal personal data that they would otherwise lack the permissions to access.
That’s according to Oxford University researchers Vincent Taylor, Alastair Beresford and Ivan Martinovic in an attack method they describe as ‘intra-library collusion’ (ILC) .
Libraries are a common target for attackers due to the abundant information that they hold. The researchers write: “Users fail to appreciate the scale or sensitivity of the data that they share with third-parties when they use apps”.
However, previous research has examined apps and libraries in isolation.
Some libraries are shared between apps, which makes development more efficient and means that the software can be smaller.
Taylor, Beresford and Martinovic write that “individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted”.
Many popular third-party libraries can collect sensitive personal information from users, the researchers write, but Android’s security model does not support the separation of privileges between apps and their embedded libraries.
The libraries inherit their host apps’ permissions, and the app developers must sometimes declare additional permissions to support embedded libraries. This is especially beneficial to advertising libraries.
Analysing 15,000 popular apps (with more than one million downloads each) , the researchers examined apps to reach conclusions on their potential use for intra-library collusion. They found that the.com/facebook library was the most popular, used in 11.9 per cent of the apps they studied. Libraries belonging to Google Analytics (9.8 per cent) and Flurry (6.3 per cent) were also widespread.
On average, the researchers said, advertiser libraries “leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day”.
The threat from intra-library collusion is clear, especially on modified phones such as rooted or jailbroken models. However, countering it is a challenge; simply revoking privileges is not a viable tactic. Doing so, advertisers will have more difficulty targeting ads, making them less likely to use libraries.
App developers also stand to lose revenue, so are unlikely to be interested in implementing such a solution. Data-passing APIs can also be used to share information between apps and libraries, even if privileges are revoked.
Other solutions include new legislation enacted by national governments, or major app stores changing their developer policies. The problem there comes down to the fact that intra-library collusion detection is difficult to achieve; the actual maliciousness takes place on third-party servers, not the user’s device.
Computing’s DevOps Summit returns on 19 September. Attendance is free to qualifying IT leaders and other senior IT professionals, but places will go fast, so secure yours now.