Palo Alto Networks has unveiled new research highlighting security risks in the internal storage used by applications on Google Android devices, rendering more than 94 percent of popular Android applications used in the Middle East & Africa potentially vulnerable.
The research reveals that hackers can easily steal sensitive information from most of the applications on an Android device using the Android Debug Bridge (ADB) backup/restore function.
Android Internal Storage is a protected area that Android-based applications use to store private information, including usernames and passwords.
The research was initially prompted by a technical flaw reported by many Android phone users in 2010. The ADB restore function saves the usernames and passwords of many applications that run on Google Android devices in plaintext, rendering almost all popular e-mail clients, FTP clients and SSH client applications at risk. Since the details aren’t encrypted, it is relatively easy for a hacker to access them by taking a backup of the phone by connecting it to a PC.
Although there are various physical and technical barriers, most of the security enhancements added by Google to prevent this type of attack can be easily bypassed without any need of specific hacking skills. Of the estimated 525.8 million mobile phone owners in the Middle East and Africa, this equates to over 178 million at risk in the region.
Saeed Agha, General Manager, Middle East, Palo Alto Networks, said “We encourage users to be aware and Google to take a closer look at this storage weakness in Android. Given Android’s place as the region’s most popular mobile operating system, millions of users are potentially at risk here.”
In the Middle East & Africa, Android has the largest market share of all platforms, at 40 percent.
Anyone using a device running version 4.0 of Android – about 85 percent of Android systems in use today in the Middle East – is potentially at risk.
Over 94 percent of popular Android applications, including pre-installed email and browser applications, use the backup system.
To use ADB, an attacker would need physical access to the device, whether borrowing or stealing it from the user; an attacker could also take control of a system to which the device is connected via USB.
Google has set the default for applications to allow back-ups; application developers are responsible for disabling the feature or otherwise restricting backups, however, the high percentage of applications that have not disabled or restricted backups suggests many developers are unaware of the risks.
Palo Alto recommends Android users to disable USB debugging when not needed, and application developers to protect Android users by configuring android:allowBackup to block the AndroidManifest.xml file of each application on the Google Android device. The developers can also restrict backups from including sensitive information using a BackupAgent application.