Featured Research

from universities, journals, and other organizations

Hacking Gmail with 92 percent success

Date:
August 21, 2014
Source:
University of California - Riverside
Summary:
Computer scientists have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

Related Articles


The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate.

Zhiyun Qian, an assistant professor at UC Riverside.

The paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks," will be presented Friday, Aug. 22 at the 23rd USENIX Security Symposium in San Diego. Authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.

The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. However, they haven't tested the program using the other systems.

The researchers started working on the method because they believed there was a security risk with so many apps being created by some many developers. Once a user downloads a bunch of apps to his or her smart phone they are all running on the same shared infrastructure, or operating system.

"The assumption has always been that these apps can't interfere with each other easily," Qian said. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone. Once that app is installed, the researchers are able to exploit a newly discovered public side channel -- the shared memory statistics of a process, which can be accessed without any privileges. (Shared memory is a common operating system feature to efficiently allow processes share data.)

The researchers monitor changes in shared memory and are able to correlate changes to what they call an "activity transition event," which includes such things as a user logging into Gmail or H&R Block or a user taking a picture of a check so it can be deposited online, without going to a physical CHASE Bank. Augmented with a few other side channels, the authors show that it is possible to fairly accurately track in real time which activity a victim app is in.

There are two keys to the attack. One, the attack needs to take place at the exact moment the user is logging into the app or taking the picture. Two, the attack needs to be done in an inconspicuous way. The researchers did this by carefully calculating the attack timing.

"By design, Android allows apps to be preempted or hijacked," Qian said. "But the thing is you have to do it at the right time so the user doesn't notice. We do that and that's what makes our attack unique."

The researchers created three short videos that show how the attacks work. They can be viewed here: https://sites.google.com/site/uistateinferenceattack/demos

Here is a list of the seven apps the researchers attempted to attack and their success rates: Gmail (92 percent), H&R Block (92 percent), Newegg (86 percent), WebMD (85 percent), CHASE Bank (83 percent), Hotels.com (83 percent) and Amazon (48 percent).

Amazon was more difficult to attack because its app allows one activity to transition to almost any other activity, increasing the difficulty of guessing which activity it is currently in.

Asked what a smart phone user can do about this situation, Qian said, "Don't install untrusted apps." On the operating system design, a more careful tradeoff between security and functionality needs to be made in the future, he said. For example, side channels need to be eliminated or more explicitly regulated.


Story Source:

The above story is based on materials provided by University of California - Riverside. The original article was written by Sean Nealon. Note: Materials may be edited for content and length.


Cite This Page:

University of California - Riverside. "Hacking Gmail with 92 percent success." ScienceDaily. ScienceDaily, 21 August 2014. <www.sciencedaily.com/releases/2014/08/140821124837.htm>.
University of California - Riverside. (2014, August 21). Hacking Gmail with 92 percent success. ScienceDaily. Retrieved January 28, 2015 from www.sciencedaily.com/releases/2014/08/140821124837.htm
University of California - Riverside. "Hacking Gmail with 92 percent success." ScienceDaily. www.sciencedaily.com/releases/2014/08/140821124837.htm (accessed January 28, 2015).

Share This


More From ScienceDaily



More Computers & Math News

Wednesday, January 28, 2015

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

iPhone Sales Give Apple Record Quarter

iPhone Sales Give Apple Record Quarter

AP (Jan. 28, 2015) Apple says staggering consumer demand for new iPhones has helped the company report record-smashing earnings for its latest quarter and primed its stock for a rally. (Jan. 28) Video provided by AP
Powered by NewsLook.com
Google Fiber Pressures Incumbent ISPs With Latest Expansion

Google Fiber Pressures Incumbent ISPs With Latest Expansion

Newsy (Jan. 28, 2015) Google’s newly announced Fiber cities put it in closer competition with the likes of AT&T and Time Warner Cable. Video provided by Newsy
Powered by NewsLook.com
Google High-Speed Service Coming to 4 Cities

Google High-Speed Service Coming to 4 Cities

AP (Jan. 28, 2015) Google is expanding its fiber-optic high-speed internet service to four cities in the Southeastern US. The company selected Atlanta, Charlotte, Raleigh and Nashville and their surrounding communities. (Jan. 28) Video provided by AP
Powered by NewsLook.com
Robot Replacements for Foxconn's Workers

Robot Replacements for Foxconn's Workers

Reuters - Business Video Online (Jan. 28, 2015) Foxconn parent Hon Hai Precision Industry is looking to automation to keep productivity up without the rising costs of human labor. Meg Teckman reports. Video provided by Reuters
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins