That's a really great response and attitude. Nice to see and gives me hope that Android will be something we can look to for security and privacy at some stage in the not too distant future.
I wonder if a permissions overhaul is in the works? The recent change to categorized permissions seems both like a step backwards but also like it is showing off how flawed Android's permissions system really is. If Google really want Android to be "stronger and more secure" this would be a good place to start.
Ok, the actual paper describes the problem "popular GUI frameworks by design can potentially reveal every UI state change through a newly-discovered public side channel — shared memory".
The attack works by watching the size of shared memory in use in /proc, detecting UI events by allocations of shared memory, and then pre-empting the new screen with a phishing screen.
1) A service (with no permissions) can monitor /proc and come up with a way to identify Activity transitions, and pinpoint specific activities in specific apps. This is brilliant IMO.
2) With good timing, a service (with no permission) can inject a "phishing" Activity in foreground, just when the app is supposed to show its own Activity. This can be used to steal credentials, etc. Videos show that it works flawlessly, with perfect timing and no graphic glitches.
3) A service (with no permissions) can take camera pictures in background with no permissions, bypassing the permissions because of a bug (the camera preview into an OpenGL texture seems not guarded by app permission checks).
My comments:
#1 shows a security issue because of inheritance of bad security practices of desktop operating systems. Since applications don't need /proc (especially if they're supposed to always go through the framework, for security reasons), they shouldn't be given access.
#2 shows a glaring design bug in Android backgrounding system. The fact that a service can pop up an activity in front of an user while they are doing something else, is not only a UX mistake, but a clear security issue.
#3 seems like "just a bug", but the idea that any background service (with any permission level) could be taking pictures in background on any Android device is terrifying.
It sounds like the actual Intent contents remain secure, however, the creation of an Intent while a particular app is in the foreground and using a particular amount of memory might be the kind of trigger they'd be looking for.
An OS level patch to get around this could involve preallocating shared memory for each application so that differences in it during the app lifecycle do not actually occur. Modern systems have enough RAM, and there are low enough limits on what is flying around, that this shouldn't be a problem.
The paper is linked in the article. Here are demos linked from their paper: https://sites.google.com/site/uistateinferenceattack/demos
Therein lies Google's problem, as once anything is usable in public it does get used/abused. There are certain VM behaviours in compatibility mode which are like this, where outright bugs have to be preserved in later versions for the benefit of apps which aren't going to receive timely updates.
1. https://android.googlesource.com/platform/system/core/+/mast... line 218
Also, /proc nor ptrace is "useless". Both are actually fundamental to several aspects of the underlying system that zygote runs on.
The above makes sense if you want to assume that you need /proc at least at some permission level. If you don't (which I think you don't), then it should simply be unmounted in the sandbox.
IPC is the standard way to get out of the sandbox, and should be used also for whatever features the APIs need /proc for.