Abstract
Today, much of our sensitive information is stored inside mobile applications (apps), such as the browsing histories and chatting logs. To safeguard these privacy files, modern mobile systems, notably Android and iOS, use sandboxes to isolate apps’ file zones from one another. However, we show in this paper that these private files can still be leaked by indirectly exploiting components that are trusted by the victim apps. In particular, we devise new indirect file leak (IFL) attacks that exploit browser interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ. Unlike the previous attacks, we demonstrate that these IFLs can affect both Android and iOS. Moreover, our IFL methods allow an adversary to launch the attacks remotely, without implanting malicious apps in victim’s smartphones. We finally compare the impacts of four different types of IFL attacks on Android and iOS, and propose several mitigation methods.
| Original language | English |
|---|---|
| Number of pages | 10 |
| Publication status | Published - 21 May 2015 |
| Externally published | Yes |
| Event | Mobile Security Technologies 2015 - San Jose, United States Duration: 21 May 2015 → 21 May 2015 |
Workshop
| Workshop | Mobile Security Technologies 2015 |
|---|---|
| Abbreviated title | MoST 2015 |
| Country/Territory | United States |
| City | San Jose |
| Period | 21/05/15 → 21/05/15 |
Bibliographical note
Acknowledgements:We thank all three anonymous reviewers for their helpful comments.
Funding
This work was partially supported by a grant (ref. no. ITS/073/12) from the Innovation Technology Fund in Hong Kong.
Fingerprint
Dive into the research topics of 'Indirect File Leaks in Mobile Applications'. Together they form a unique fingerprint.Cite this
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver