Android’s User Dictionary Vulnerability Allows Attackers to Steal Passwords & Credit Card Numbers from Your Phone

A well-documented research initiated by security researcher Daniel Kachakil, suggests that a vulnerability in Android’s User Dictionary could allow attackers to gain access to frequently used passwords and credit card numbers.  

The researcher highlights the fact that the recent versions of Android allowed him to gain access to the content provider (A part of the applications component of the android). His findings further show how he was able to extract data from the personal dictionary.  

According to the ASOP (Android Open Source Project), access to user dictionary is only granted to privileged accounts, spell checkers and input method editors (IMEs). The researcher insists that there is a way to bypass the set restrictions and can be targeted by malicious applications to exfiltrate the entire content captured in Android’s personal dictionary.   

What is Android User Dictionary/Personal Dictionary?

Personal Dictionary has a unique functionality in an Android phone and plays a vital role in decreasing the efforts in typing by learning from user’s typing habits. The data that it captures could be anything that the user types right from passwords, credit card numbers, emails, phone numbers, addresses etc. A lot of users assign manual short cuts for lengthy addresses etc using this feature of android phones.  

In-depth Analysis of the Discovered Vulnerability

Background

Android recently changed the read and write permissions to access user dictionary. Earlier the permissions were as follows.

  • android.permission.read_user_dictionary 

  • android.permission.write_user_dictionary 

However, after the recent changes the above-mentioned permissions were re-configured. According to the latest ASOP documentation the restricted access to user dictionary content provider was changed and made accessible through Input Method Editor (IME), privilege accounts and spellchecker.  

To execute the newly deployed changes in android’s user dictionary a new private function canCallerAccessUserDictionary was created. This function is designed to invoke query, insert, update, and delete functions.  

The core functionality of such an interaction between the above-mentioned private functions and other functions is to ensure prevention of all unauthorized calls to these functions.  

The Discovered Security Vulnerability: Researcher Daniel Kachakil detected a delay in the authorization check in update and delete functions. What needs to be taken cognizance of is that, due to the repeated delays in authorization check a specially crafted application can be used through the exposed user dictionary content providers to bypass authorization check. This vulnerability can be critical since an attacker could take undue advantage of the delay in authorization check and gain access to the content provider. 

The content in user dictionary can be deleted and updated using a malicious application which would not be of great importance from an attacker’s perspective. However, it’s possible to gain access to the database which could prove to be a huge problem given the fact that the data can be sensitive.  

Time-based, Blind SQL Injection Attack Used to Bypass Authorization Checks & Access Personal Data 

The code of a malicious application uses time-based, blind SQL injection attack to exploit delay in authorization checks and then gain access to the affected database and exfiltrate sensitive information.  

The proof of concept provided by the researcher contains the following code executed by a malicious application to exploit the problem of delayed authentication checks. 

ContentValues values = new ContentValues();  

values.put(UserDictionary.Words._ID, 1);  

 
long t0 = System.nanoTime(); 

 
for (int i=0; i<200; i++) { 
     getContentResolver().update(UserDictionary.Words.CONTENT_URI, values, 
                "_id = 1 AND word LIKE 'a%'", null); 

long t1 = System.nanoTime()

Best way to Protect Yourself from Such Attacks 

Given the fact that this vulnerability can be used to access personal data in the user dictionary, it is quite possible that the attacker can get lucky and gain access to sensitive information such as frequently used banking passwords and credit card numbers. One of the most important remediations that has been suggested by the researcher is that users must review the content of personal dictionary frequently and delete anything that is deemed as sensitive data. 

Details
Category