Man-in-the-disk (MITD) is an attack vector that allows an intruder to intercept and potentially alter data as it moves between Android external storage and an installed mobile app. MITD is a variation of the more commonly known man-in-the-middle attack. The attack exploits poorly written code that fails to follow Google's recommendations for how apps should use external storage.
In any device that employs the Android OS, there are two types of storage: internal and external. Internal storage for Android apps is sandboxed with the app, but external storage is intended to allow file sharing between applications. Android developers are encouraged to program applications so that all data is safely stored within the Android device's internal storage, but when a program is created that stores all or part of its data in the external part of the Android's storage system, the data becomes an attack surface because the data is vulnerable to manipulation by outside parties.
Typically, external storage is located on an SD card or within a storage partition on the Android device and is used to share files between applications. During an MITD attack, when a legitimate program attempts to run a regular update, the attacker can replace the update files with an entirely new program or manipulate the application by tampering with the update's code. Once malicious applications are installed or changes are made with code injection, a third party can bypass the system's security and gain access to sensitive information, like contact lists and photos, or hardware, like microphones and cameras. This kind of attack can also cause the program to show an error and spontaneously shut down, it can tamper with other applications, or it can run malicious code that damages the device or completely takes it over via a privilege escalation attack.
Prevention of man-in-the-disk attacks
Android developers can prevent man-in-the-disk attacks by following Google's guidelines for creating Android apps. Ideally, Android developers should program their app to store all files and data within the Android device's internal storage, which is compartmentalized and isolated for security. However, some applications may require the use of external storage in situations where internal storage lacks a sufficient capacity or compatibility. In those cases, developers should perform input validation when handling external storage data, should not store executables or class files within external storage and all files should be cryptographically verified prior to dynamic loading.
Android users can prevent man-in-the-disk attacks by following good security habits such as:
- Only downloading Android applications from valid sources, like the Google Play Store.
- Only downloading necessary applications.
- Deleting applications no longer in use.
- In settings, disabling the ability to install applications from third party sources.
- Staying on top of news about common attacks and attack surfaces.