Seven Cell Phone Apps Your Professor Can Easily Hack—Android, Windows and iOS Users Beware

  • comments
  • print
  • email
Aug 25, 2014 07:03 PM EDT

Presenting their findings last Friday Aug. 22 at the 23rd annual USENIX Security Symposium held in San Diego, researchers from the University of California, Riverside found that by exploiting weaknesses in cell phone operating systems they were able to hack into their students' personal accounts for seven of the most widely used mobile applications.

Looking into the effect that multiple applications have on one another once all running on a shared infrastructure, or the cell phone's operating system, the researchers developed a method of hacking they hoped would give insights into feasibility of identity theft and protection of personal information. Noticing that so many apps have recently been created by literally millions of developers, the researchers wanted to test the safety of information collaboration amongst the apps within a unified infrastructure.

"The assumption has always been that these apps can't interfere with each other easily" lead author Zhiyun Qian said. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

Testing seven of the most popular applications on Android devices, the researchers found with a high rate of efficacy the ease of penetrating digital defenses, with successful hack rates between 82 and 92 percent of the time on six of the applications. The seventh, the Amazon shopping application, was the only application tested that proved difficult to access, with still a staggering 48% success rate.

"By design, Android allows apps to be preempted or hijacked" Qian says. "But the thing is that you have to do it at the right time so that the user doesn't notice. We do that, and that's what makes our attack unique."

Their calculated attack is initiated when a user downloads a seemingly benign application, like one for background wallpapers or keyboard emoticons on a cell phone. Once installed, the researchers are able to exploit a newly discovered public side avenue, that of shared memory, which can be accessed without privileges and is activated whenever a victim application is launched or a photo is taken. Shared memory, which runs in the background of nearly all operating systems, allows for cellular devices to efficiently process share data, but also allowed an entry point for the professors to monitor their students' every activity.

Though the researchers were not able to mirror the information being exchanged, by monitoring changes in shared memory they were able to indicate what activity was taking place by correlating changes to what they call an "activity transition event". Qian and his fellow researchers suggest that this exposure in the design of operating systems could lead to large-scale data breeches, and say that users should be mindful of the tradeoff between security and functionality next time they consider installing an untrustworthy application.

The seven applications the researchers attempted to hack and their success rates are listed below:

*Gmail (92 percent)

*H&R Block (92 percent)

*Newegg (86 percent)

*WebMD (85 percent)

*CHASE Mobile Banking (83 percent)

*Hotels.com (83 percent)

*Amazon (48 percent)

Join the Conversation
Real Time Analytics