Check Point Research has now revealed that apps using external storage mediums may not be as safe as their internally stored counterparts on Android. The new attack, which Check Point refers to as 'Man-in-the-Disk,' takes advantage of an apparent vulnerability found in the operating system itself. Specifically, apps with access to read and write data on an SD card or logical partition in the storage itself can effectively access data for any app with data stored there. In fact, an application doesn't need to actually install anything to external storage. It only needs to request and be granted permission to interact with external storage. With that access, a malicious entity can readily alter other applications with a direct attack on that app's data and injected code once that has been accomplished. It can also enable any number of other actions. For example, an app could exploit the vulnerability and spy on the user through other installed apps' data without alerting the user to that activity.
The implications of the discovery aren't limited to app crashes and spying either. A well-thought-out malicious app could feasibly spread out and hijack other apps or force installation of further bad apps. Apps don't have to be installed to the storage to suffer such an attack either. Check Point notes out that Xiaomi Browser, for example, utilizes external storage as a pass-through for app updates. Using a Man-in-the-Disk attack, the researchers were able to replace the code on its way through external storage with code to install another malicious app. App crashes and other problems were also able to be caused in some of Google's own applications such as Translate, Voice Typing, and Text-to-Speech as well as Yandex Translate. So the vulnerability isn't limited to non-Google applications or those on offer from other third-parties.
In each case, it appears as though the problem stemmed primarily from developers failing to follow Google's guidelines for safety with regard to apps accessed and accessing external storage. The latter examples, for instance, failed to validate the integrity of data when that came from external storage. For its part, the search giant did immediately release patches for its own apps once notified of the problem while Xiaomi chose not to respond. Aside from touting validation, those suggest that developers should not store class files or executables in external storage and that files from that source need to be signed and cryptographically verified before being loaded. That should help prevent attacks. Bearing that in mind, the problem likely won't truly be solved until all developers follow those guidelines or Google secures external storage at the OS level.