[Aug 13, 2018]
Man-in-the-Disk Attack Shows How External Storage by App Opens An Android Phone To Serious Attacks. It opens a new attack surface that would allow an attacker to replace, or to manipulate the data that stored on the External Storage.
These attacks are possible when app use External Storage without performing proper validations. Man-in-the-Disk allows an attacker to perform a silent installation of malicious apps to the user’s phone, DoS attack over legitimate apps, code injection and it also cause applications to crash.
Attackers convince the user to install a legitimate app that contains attackers script which in turn asks user permission for external storage, once the user granted permission the attacker monitor the data transfer between the user device and external storage.
Cyber Security Tips:
- The external space mostly the SD cards, it doesn’t have Android built-in Sandbox protection and the resource is shared across all the applications. Users are urged not to grant permission to any unauthenticated App to use External Space.
- The Android application developers documentation provides guidelines on how the external storage for apps to be managed. It is highly recommended to follow this guideline to restrict Man-in-Disk Attack.