Cross-Platform Analysis of Indirect File Leaks in Android and iOS Applications
This addresses a critical privacy vulnerability for mobile app users, revealing cross-platform security flaws that could lead to data breaches.
The paper tackled the problem of indirect file leaks (IFLs) in Android and iOS applications, showing that private files can be leaked by exploiting trusted components like browser interfaces and command interpreters, affecting popular apps such as Evernote and QQ, with attacks that can be launched remotely without malicious apps.
Today, much of our sensitive information is stored inside mobile applications (apps), such as the browsing histories and chatting logs. To safeguard these privacy files, modern mobile systems, notably Android and iOS, use sandboxes to isolate apps' file zones from one another. However, we show in this paper that these private files can still be leaked by indirectly exploiting components that are trusted by the victim apps. In particular, we devise new indirect file leak (IFL) attacks that exploit browser interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ. Unlike the previous attacks, we demonstrate that these IFLs can affect both Android and iOS. Moreover, our IFL methods allow an adversary to launch the attacks remotely, without implanting malicious apps in victim's smartphones. We finally compare the impacts of four different types of IFL attacks on Android and iOS, and propose several mitigation methods.