Google’s enterprise mobility tool, formerly known as Android for Work, has two features that could allow an attacker to access data that should be protected by its sandboxed work environment.
The Android for Work framework allows organizations to use third-party enterprise mobility management software set up a work profile on a device to manage and isolate business data in a sandbox from personal data.
It shouldn’t be possible for any app in the personal profile, including a malicious one, to reach content from the work side, however researchers from Israel-based Skycure found that a malicious app could bypass the divide using a so-called “app-in-the-middle” attack and transmit stolen data to a remote attacker’s server.
The first app-in-the-middle attack takes advantage of Android Notifications, which by design, displays SMS, email messages, calendar meetings from apps in both personal and work profiles.
The attack described by Skycure’s Yair Amit and Shahar Areli involved the user installing an app in the personal profile that promises to mirror Android notifications to the user’s desktop. However, as it’s in fact a malicious app, personal and work notifications are sent to the attacker’s server. While the malicious app hasn't breached the work profile sandbox, it can still access potentially sensitive work data from work profile notifications.
Additionally, the attack can be enhanced by incorporating a password reset into the process, since a malicious app can also gain permission to remove notifications. For example, if an attacker knew the target’s work Gmail address or Slack username, they could wipe a notification before the user notices the password reset email, as well as capture a two-factor code sent in notifications.
Another devious attack exploits the Accessibility feature on Android, which helps the visually impaired with tools like audible narration of text. Naturally, it has access to nearly all content and controls. A malicious app could request Accessibility permissions to access content from apps in the work profile, again bypassing the Android for Work container. Rather troublingly for admins, given that Android for Work was designed to protect personal data, there’s no way to monitor the malicious Accessibility-aided app on that side of the wall.
Skycure’s Amit said these attacks demonstrated the “dangerous illusion of security” since exploit how exactly how Android for Work was designed and intended.
“It is the user that must be tricked into placing the software on the device and activating the appropriate services that allow the malware access to sensitive information,” wrote Amit.
“The danger lies in the illusion of a secure container, which tends to allow people to let their guard down in the belief that the environment itself is a sufficient security mechanism to protect sensitive data.”
Amit said Android Security had vetted the findings prior to his disclosure but determined that these were intended behaviors.
“As that behavior poses an unexpected and clear threat to corporate data of organizations that utilize Android for Work, we have mutually agreed to disclose the findings with the public, to raise awareness to the exposure,” Amit wrote.