Sign In

Communications of the ACM

ACM TechNews

Ios and Android Weaknesses Allow Stealthy Pilfering of Website Credentials

View as: Print Mobile App Share:
A Facebook server exposes a security credential to an unauthorized Android app. It took Facebook months to fix the vulnerability.

In a paper to be presented at the ACM SIGSAC Computer and Communications Security Conference in November, researchers report finding a security weakness in the iOS and Android mobile operating systems.

Credit: Wang et al.

Microsoft and Indiana University researchers have found an architectural weakness in both the iOS and Android mobile operating systems that makes it possible for hackers to steal sensitive user data and login credentials for popular email and storage services.

The researchers, in a paper to be presented at the ACM Special Interest Group on Security, Audit and Control's (SIGSAC) Computer and Communications Security Conference in November, found that both operating systems fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission. The same-origin policy is a basic security mechanism enforced by desktop browsers, but the protection is absent from many iOS and Android apps.

The researchers demonstrated the threat by creating several hacks that carry out cross-site scripting and cross-site request forgery attacks.

"The problem here is that iOS and Android do not have this origin-based protection to regulate the interactions between those apps and between an app and another app's Web content," says Indiana University professor XiaoFeng Wang.

The researchers created a proof-of-concept app called Morbs that provides OS-level protection across all apps on an Android device. Morbs works by labeling each message with information about its origin that could make it easier for developers to specify and enforce security policies based on the sites where sensitive information originates.

From Ars Technica
View Full Article


Abstracts Copyright © 2013 Information Inc., Bethesda, Maryland, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account