Today, much of our sensitive information is stored inside mobile applications (apps), such as the browsing histories and chatting logs. To safeguard these privacy files, modern mobile systems, notably Android and iOS, use sandboxes to isolate apps' file zones from one another. However, we show in this paper that these private files can still be leaked by indirectly exploiting components that are trusted by the victim apps. In particular, we devise new indirect file leak (IFL) attacks that exploit browser interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ. Unlike the previous attacks, we demonstrate that these IFLs can affect both Android and iOS. Moreover, our IFL methods allow an adversary to launch the attacks remotely, without implanting malicious apps in victim's smartphones. We finally compare the impacts of four different types of IFL attacks on Android and iOS, and propose several mitigation methods.
翻译:今天,我们的大部分敏感信息都储存在移动应用程序(应用程序)中,例如浏览历史和聊天记录。为了保护这些隐私文件,现代移动系统,特别是Android和iOS,使用沙箱将应用程序的档案区相互隔开。然而,我们在本文中显示,这些私人文件仍然可以通过间接利用受害者应用程序所信任的部件而泄漏。特别是,我们设计新的间接文件泄漏(IFL)攻击,利用浏览器界面、指令翻译和嵌入的应用程序服务器来泄漏来自非常受欢迎的应用程序的数据,例如Evernote和...。我们与以前的攻击不同,我们证明这些IFL可以同时影响Android和iOS。此外,我们的IFL方法允许对手在不将恶意应用程序植入受害者智能手机的情况下远程发动攻击。我们最后比较了四种不同类型的IFL攻击对Android和iOS的影响,并提出了几种缓解方法。