Featured Research

from universities, journals, and other organizations

Hacking Gmail with 92 percent success

Date:
August 21, 2014
Source:
University of California - Riverside
Summary:
Computer scientists have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate.

Zhiyun Qian, an assistant professor at UC Riverside.

The paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks," will be presented Friday, Aug. 22 at the 23rd USENIX Security Symposium in San Diego. Authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.

The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. However, they haven't tested the program using the other systems.

The researchers started working on the method because they believed there was a security risk with so many apps being created by some many developers. Once a user downloads a bunch of apps to his or her smart phone they are all running on the same shared infrastructure, or operating system.

"The assumption has always been that these apps can't interfere with each other easily," Qian said. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone. Once that app is installed, the researchers are able to exploit a newly discovered public side channel -- the shared memory statistics of a process, which can be accessed without any privileges. (Shared memory is a common operating system feature to efficiently allow processes share data.)

The researchers monitor changes in shared memory and are able to correlate changes to what they call an "activity transition event," which includes such things as a user logging into Gmail or H&R Block or a user taking a picture of a check so it can be deposited online, without going to a physical CHASE Bank. Augmented with a few other side channels, the authors show that it is possible to fairly accurately track in real time which activity a victim app is in.

There are two keys to the attack. One, the attack needs to take place at the exact moment the user is logging into the app or taking the picture. Two, the attack needs to be done in an inconspicuous way. The researchers did this by carefully calculating the attack timing.

"By design, Android allows apps to be preempted or hijacked," Qian said. "But the thing is you have to do it at the right time so the user doesn't notice. We do that and that's what makes our attack unique."

The researchers created three short videos that show how the attacks work. They can be viewed here: https://sites.google.com/site/uistateinferenceattack/demos

Here is a list of the seven apps the researchers attempted to attack and their success rates: Gmail (92 percent), H&R Block (92 percent), Newegg (86 percent), WebMD (85 percent), CHASE Bank (83 percent), Hotels.com (83 percent) and Amazon (48 percent).

Amazon was more difficult to attack because its app allows one activity to transition to almost any other activity, increasing the difficulty of guessing which activity it is currently in.

Asked what a smart phone user can do about this situation, Qian said, "Don't install untrusted apps." On the operating system design, a more careful tradeoff between security and functionality needs to be made in the future, he said. For example, side channels need to be eliminated or more explicitly regulated.


Story Source:

The above story is based on materials provided by University of California - Riverside. The original article was written by Sean Nealon. Note: Materials may be edited for content and length.


Cite This Page:

University of California - Riverside. "Hacking Gmail with 92 percent success." ScienceDaily. ScienceDaily, 21 August 2014. <www.sciencedaily.com/releases/2014/08/140821124837.htm>.
University of California - Riverside. (2014, August 21). Hacking Gmail with 92 percent success. ScienceDaily. Retrieved September 23, 2014 from www.sciencedaily.com/releases/2014/08/140821124837.htm
University of California - Riverside. "Hacking Gmail with 92 percent success." ScienceDaily. www.sciencedaily.com/releases/2014/08/140821124837.htm (accessed September 23, 2014).

Share This



More Computers & Math News

Tuesday, September 23, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Will Living Glue Be A Thing?

Will Living Glue Be A Thing?

Newsy (Sep. 23, 2014) Using proteins derived from mussels, engineers at MIT have made a supersticky underwater adhesive. They're now looking to make "living glue." Video provided by Newsy
Powered by NewsLook.com
Apple Will Need To Squish These Bugs In iOS 8

Apple Will Need To Squish These Bugs In iOS 8

Newsy (Sep. 23, 2014) As users rush to download the latest version of Apple's iOS software, they're running into bugs plaguing battery life, WiFi connectivity, and more. Video provided by Newsy
Powered by NewsLook.com
Company Copies Keys From Photos

Company Copies Keys From Photos

Newsy (Sep. 22, 2014) A new company allows customers to make copies of keys by simply uploading a couple of photos. But could it also be great for thieves? Video provided by Newsy
Powered by NewsLook.com
Cat Lovers Flock to Los Angeles

Cat Lovers Flock to Los Angeles

AFP (Sep. 22, 2014) The best funny internet cat videos are honoured at LA's Feline Film Festival. Duration: 00:56 Video provided by AFP
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins