Cross-Platform Analysis of Indirect File Leaks in Android and iOS Applications

TL;DR

This paper uncovers new indirect file leak attacks in Android and iOS apps that exploit trusted components like browsers and embedded servers, enabling remote data leaks without malicious app installation.

Contribution

It introduces novel IFL attack techniques applicable to both Android and iOS, demonstrating remote exploitation and providing mitigation strategies.

Findings

IFL attacks affect popular apps like Evernote and QQ

Attacks can be launched remotely without malicious app installation

Comparison of four IFL attack types and mitigation methods

Abstract

Today, much of our sensitive information is stored inside mobile applications (apps), such as the browsing histories and chatting logs. To safeguard these privacy files, modern mobile systems, notably Android and iOS, use sandboxes to isolate apps' file zones from one another. However, we show in this paper that these private files can still be leaked by indirectly exploiting components that are trusted by the victim apps. In particular, we devise new indirect file leak (IFL) attacks that exploit browser interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ. Unlike the previous attacks, we demonstrate that these IFLs can affect both Android and iOS. Moreover, our IFL methods allow an adversary to launch the attacks remotely, without implanting malicious apps in victim's smartphones. We finally compare the impacts of four different types of IFL attacks on Android and iOS, and propose several mitigation methods.