Android flaw puts personal data at risk
User data at risk from unsecured automated storage in applications
A security flaw in Google Android devices could be putting personal data of users at risk.
According to research from Palo Alto Networks, private data that is automatically stored by apps on Android 4 devices can be accessed without authorisation.
Android Internal Storage is a protected area that Android-based applications use to store private information, including usernames and passwords. But as Palo Alto Networks research reveals, an attacker may be able to steal sensitive information from most of the applications on an Android device using the Android Debug Bridge (ADB) backup/restore function. In addition, most of the security enhancements added by Google to prevent this type of attack can be bypassed.
The security company said that more than 94% of popular Android applications used in the Middle East & Africa are potentially vulnerable, and that Android 4.0 accounts for around 85% of Android devices in the Middle East today, around 178 million devices.
"We encourage users to be aware and Google to take a closer look at this storage weakness in Android. Given Android's place as the region's most popular mobile operating system, millions of users are potentially at risk here in the Middle East and Africa," said Saeed Agha, general manager - Middle East, Palo Alto Networks.
To use ADB, an attacker would need physical access to the device, whether borrowing or stealing it from the user; an attacker could also take control of a system to which the device is connected via USB.
The vast majority of popular Android applications, including pre-installed email and browser applications, use the backup system, meaning users are vulnerable. Many Android applications will store user passwords in plain text in Android Internal Storage, meaning almost all popular e-mail clients, FTP clients and SSH client applications are vulnerable.
Google has set the default for applications to allow back-ups; application developers are responsible for disabling the feature or otherwise restricting backups; however, the high percentage of applications that have not disabled or restricted backups suggests many developers are unaware of the risks.
Palo Alto Networks recommends Android users disable USB debugging when not needed, and application developers to protect Android users by setting android:allowBackup to false in each Android application's AndroidManifest.xml file or restricting backups from including sensitive information using a BackupAgent.