A long-running, relatively unknown, and rather serious Android security issue is finally being resolved in Android P.
As reported by XDA Developers, Android apps have long had the ability to monitor network connections without needing to request access from the user to do so.
Apps taking advantage of that security loophole can’t read the contents of what you’retransmitting but can see what you’re connecting to. For example, an app could see that you regularly connect to a certain bank, investment portfolio website, or social medial platform, but it can’t steal your credentials or read your account details.
XDA Developers said anyone can test the effectiveness of this flaw by installing a Netstat app from Google Play.
The security implications of this long-running exploit are enormous. While it doesn’t give an attacker the information required to immediately access an account, it does open the door for social engineering attacks, which are some of the most prevalent.
Say a cybercriminal monitoring your Android device’s network activity learns that you regularly connect to a particular bank. They don’t know your username or password, but they know where you keep your money and have plenty of ways to exploit that information to gain access to your account.
XDA Developers said this security issue is “years old,” but it doesn’t state how old, exactly. Regardless, that means malicious actors have had years to exploit it.
How apps keep a quiet eye on you, and what Google is doing to fix it
As pointed out by a change on Android Open Source Project, the problem stems from the relatively open access apps have to Android’s /proc/net directory, which contains TCP and UDP files that log internet connections.
/proc/net “leaks information,” Google said, and the changes coming to a future developer build of Android P start the process of locking the directory down.
SEE: Mobile device computing policy (Tech Pro Research)
This initial change to /proc/net access won’t affect VPN apps, which require access to /proc/net in order to function. Other applications that want to access /proc/net will be audited to verify their need for access.
XDA Developers saidthey hope the change will be backported, becausedevices running older versions of Android are still vulnerable, and said there’s no way of knowing if or when that vulnerability will be fixed.
Until then, it’s essential that you only install apps from the Google Play store, and even then don’t make the assumption that all the apps there are safe. Take the time to verify that the app you want to install is from the correct developer, read user reviews to learn more about suspicious app activity, and always uninstall apps you no longer use.
The big takeaways for tech leaders:
- A long-running flaw in Android allows any app to monitor network activity. The flaw doesn’t provide the content of the traffic but does allow apps to see what domains users are connecting to.
- A change commit on the Android Open Source Project indicates that Google is locking down the directory that contains network connection information. It’s not known when the fix will be released in an Android P preview, nor if it will be backported to earlier versions.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- The 10 best ways to secure your Android phone (ZDNet)
- Android P: Cheat sheet (TechRepublic)
- Android security: Your phone’s patch level says you’re up to date, but that may be a lie (ZDNet)
- Android Security Bulletin April 2018: What you need to know (TechRepublic)