Researchers have identified a vulnerability in an Android API used by messaging apps such as Skype and perhaps more concerning, privacy-centric apps such as Signal, and Telegram, that could lead to privilege escalation and data loss including private keys.
Dominik Schürmann and Lars Wolf, researchers at the Braunschweig University of Technology in Germany, discovered the vulnerability, which they’ve dubbed Surreptitious Sharing. The two gave a presentation on the vulnerability during a panel at GI Sicherheit 2016, a security conference in Bonn, Germany on Monday.
While most of the apps the researchers single out in the report have since been patched, they claim Skype is still vulnerable and that the vulnerability is “definitely present in many more apps.”
The issue stems from Intent, an API that Android uses to share content. Instead of sending the actual files, the API sends URIs, or Uniform Resource Identifiers, which point to files. When the API sends URIs using the file scheme, it usually points to files on the device’s SD card, but can also point to private files, the researchers claim.
“If an application registers Intent Filters to support Android’s sharing API or defines custom Intents accepting URIs, they are potentially accepting file URIs that could also point to their own private files,” Schürmann and Wolf write in the paper.
The two acknowledge that Cure53, a Berlin-based penetration testing firm, initially found the vulnerability when it performed an audit of OpenKeychain, (.PDF) an OpenPGP app that Schürmann runs, last fall. Schürmann and Wolf took the issue and examined it in “a broader context” to determine that several popular communication apps were vulnerable.
To test the vulnerability, the researchers looked at four email and eight messaging apps. While they admit the issue exists in other apps it didn’t evaluate, eight of the 12 it did look at were vulnerable.
To carry out their proof of concept, the researchers used a malicious music app, designed to encourage sharing via the messaging apps. Once the victim shares, the URI is initiated and the attacker can retrieve private database files.
With Skype, the two were easily able to execute the exploit, and retrieve an offline storage database, something that froze the program.
In Threema, an instant messaging app popular in Germany that boasts end-to-end encryption, the researchers were able to retrieve both a database and key belonging to the app.
The attackers were able to get Threema, and another encrypted messaging app, Signal, to share its database as an audio recording. The researchers claim they were able to retrieve the file, save it, and open it as a database file. The two claim Signal was vulnerable – chiefly because of the way it processed the file – and crashed for them on each start.
The duo tried to carry out attacks on messaging apps like Google Hangouts, WhatsApp, and Facebook Messenger via the same vector, but weren’t able to exploit the vulnerability.
By using hard links the two were able to use the vulnerability to bypass security checks in Gmail on older Android versions, and AOSP Mail.
To demonstrate the bug in the email platforms the researchers used a malicious app designed to trick users into thinking a problem occurred and a bug report had to be sent. If a user touched the button, the API would forward a private file, containing the IMAP password, to a particular email.
Developers with the mail platforms K-9 Mail and WEB.DE Mail, which they also tested, and the messaging apps Threema, and Telegram, were quick to patch the issue, according to Schürmann and Wolf.
Similarly, Moxie Marlinspike, the founder of Open Whisper Systems – which owns Signal – committed two fixes to remedy the issue in the app at the end of March.
The researchers claim Microsoft, which owns Skype, did not return their message disclosing the bug.
For what it’s worth, support for the file scheme – a vulnerable vector the API uses – has been removed in the Developer Preview version of the next Android build, Android N. Both Schürmann and Wolf believe the change to the operating system, slated for release in mid-2016, was planned before the two reported the vulnerability, however.
“We don’t know if this has been done as a response to this vulnerability, but we suspect this change was already planned before we reported the problem, as comments inside AOSP source code already indicated upcoming changes,” the two write.
Until then, the researchers are advocating that Android messaging apps pre-process content and for the sake of verification, display the filename before sending it.
“Content shared from other applications should be considered as unverified input that needs to be explicitly acknowledged by the user. Even after fixing the vulnerability,” the two write, “applications could still share different content than what has been shown to the user before.”