A new flaw gives attackers the ability to track locations if they’re near a WiFi router. Inter-process communication gives way for information to be leaked via (CVE-2018-9581). While applications on Android are typically isolated by the OS from one another and from the OS itself, there are still systems for sharing data between them when required. One of those systems is the utilization of what Android has coined “intents.” The OS itself can send an “intent” message out, which is communicated framework wide and can be tuned into by different applications. Without appropriate access limitations around Android intents, it is possible for malicious applications to see data from other applications that it shouldn’t have access to. “While functionality exists to restrict who is allowed to read such messages, application [and OS] developers often neglect to implement these restrictions properly or mask sensitive data. This leads to a common vulnerability within Android applications where a malicious application running on the same device can spy on and capture messages being broadcast by other applications,” said by a research lead. This is not new for Android, in fact, they have experienced similar issues with bugs like CVE-2018-9489 and CVE-2018-15835. These also have a lot of the same characteristics to the man-in-the-disk issue.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is