Android users, your data could be exposed thanks to an implementation flaw in popular apps. Microsoft has recently published a bulletin exposing a critical flaw that could be present in a large amount of applications. Microsoft estimates that the flaw could be in over four billion apps.
The vulnerability, given the moniker “Dirty Stream”, lies in the ability of potentially malicious apps to exploit and abuse Android’s content provider system. This system is designed to enable secure data exchange between apps on Android devices. The data exchange typically employs security measures like permissions, uniform resource identifiers and file path validation to ensure data security. However, sloppy implementation has led to a backdoor ripe for exploitation.
In Microsoft’s research, the incorrect use of the communication layer that allows communication between Android apps, known as “custom intents, can lead to sensitive areas of the app being exposed. This will allow hackers and malicious actors to access and inject malicious code into the app. Attackers can potentially take over the app entirely, access sensitive user data and intercept private logins.
Microsoft is not just exposing the exploit. It has worked proactively with affected developers, alerting them of the potentially vulnerable apps. Some of the apps identified in the report include Xiaomi’s File Manager and WPS Office. Both apps have large user bases. The former boasts a user base of over a billion installations while WPS Office has about 500 million. The companies have deployed fixes to address the issue.
Google has also been alerted. The search behemoth has updated its app security guidelines. The changes highlight common implementation errors that could lead to the security bypass.
