Arthur T Knackerbracket has found the following story:
Oxford researchers [...] (Vincent Taylor, Alastair Beresford and Ivan Martinovic) [...] [looked] at how the same library in two different apps could expose information from a higher-privilege app to one with lower privilege.
They write that this “intra-library collusion” (ILC) happens “when individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted”.
As the paper explains, shared libraries can borrow permissions an app doesn't have [...] That's a threat, because library re-use across different apps isn't a bug, it's a feature: it makes app development more efficient and keeps apps small by letting them use code pre-loaded to a device.
While noting that attackers are standardising their own libraries, the researchers focussed their effort on advertising libraries [...] handling location, app usage, device information, communication data like call logs and messages, access to storage (including, for example, a user's files which can indicate their interests), and the microphone.
Of more than 15,000 apps with more than a million downloads, the researchers went to work decompiling apps to identify the libraries they linked to. Those they successfully decompiled, they analysed for their intra-library collusion potential.
The 18 most popular libraries include familiar names:
Library % of apps com/facebook 11.9 com/google/android/gms/analytics 9.8 com/flurry 6.3 com/chartboost/sdk 5.9 com/unity3d 5.2 com/applovin 3.5 com/mopub 3.1 com/inmobi 3.0 com/google/ads 3.0 com/google/android/gcm 2.7 com/tapjoy 2.4 org/cocos2d 2.4 com/amazon 2.0 com/millennialmedia 1.6 org/apache/commons 1.4 com/heyzap 1.4 com/nostra13/universalimageloader 1.3 com/adobe/air 1.0 “The main catalyst that allows ILC to happen is the failure of the Android permission system to separate the privileges of libraries and their host apps”, they write, and this at least offers opportunities for an underhanded ad network to improve their data collection without seeking extra permissions from users.
[...] Digging deeper into how advertiser libraries behaved, they found on average those libraries “leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day”.
-- submitted from IRC
(Score: -1, Troll) by Anonymous Coward on Saturday August 19 2017, @06:09PM
Wild Thang!
(Score: 2) by RamiK on Saturday August 19 2017, @07:37PM
Back in the day, Open Whisper Systems' Signal was forked over the usage of google APIs for trivial wake up events and the like. Eventually, Moxie voiced his displeasure about the fork using their server infrastructure and so the project died. Well, following this study, there was reasons to be concerned after all: By using Google's libraries, Signal is effectively handing Google access to contacts, non-encrypted SMSs, encrypted messages' metadata, etc...
Well, at least it's better then Allo.
compiling...
(Score: 0) by Anonymous Coward on Sunday August 20 2017, @12:04AM (1 child)
It's not possible to sanely restrict what a library can do... do you know how much overhead that would involve? a lot.
(Score: 0) by Anonymous Coward on Sunday August 20 2017, @12:58AM
Not true. In the case where you need the same library loaded, and actively in sue for two different applications with different permissions, set the library's permissions to the overlap (not union). In the event of a permission error, you can either duplicate the library in memory, or temporarily only schedule one libraries users at a time and toggle the permissions.
I expect the cases where this would cause significant overhead are rare. My phone very rarely needs to run two apps with significant CPU load or latency requirements at the same time, so in the rare case where some background app needs the library with different permissions, it can wait for a change, then get its little time with different permissions.
Also, can't most memory mapping hardware map the same physical page to two different virtual pages with different permissions? And arn't the different apps running in different processes just sharing read-only code memory? How is this even a problem?
This isn't hard. You build a secure system that follows its permissions rules, even if the overhead is high, then work on lowering the overhead. Just making stuff insecure is stupid.
(Score: 2, Insightful) by Ethanol-fueled on Sunday August 20 2017, @02:10AM (1 child)
I notice a pattern here. All those services belong to companies we hate. And of course Google's crap is going to be riddled with backdoors no matter what they tell you.
(Score: 0) by Anonymous Coward on Sunday August 20 2017, @04:32AM
You've been backdoored many times.
(Score: 0) by Anonymous Coward on Sunday August 20 2017, @04:30AM (1 child)
Libraries don't (and can't) have permissions themselves. They are snippets of code that runs with the permissions of whatever application is linked to them. In order for a library to expose data between applications, the library would have to be purposely written to do that. A well-written library won't allow one application to spy on another application. It's normally okay to have a banking application and a game application use the same library but if the library is "bad" it could potentially store and share sensitive data between applications. I bet there are already advertising/analytical type libraries that do this to collect more info from you than you think you are sharing.
(Score: 0) by Anonymous Coward on Sunday August 20 2017, @07:10AM
I assume you have never seen an android app, they generally require all of the permissions to maximize monitization, also libraries are made with calls that have the permissions of the app, which may as well be root in most cases
(Score: 2) by Wootery on Sunday August 20 2017, @09:13AM
If that increase in efficiency means deviating from expected behaviour, it shouldn't be done.
It's like the 'as if' rule in compilers: your compiler doesn't have to use the CPU's multiplication instruction, it just has to have the right effect, of giving the required multiplication. If this can be done faster with addition and shifting, the compiler is free to go that route instead.
Isn't this the same thing? If the libraries subsystem reduces duplication while keeping identical behaviour, that's great. If it b0rks the permissions system, though, then that means the libraries subsystem is buggy.
(Score: 0) by Anonymous Coward on Sunday August 20 2017, @02:15PM (1 child)
So the problem really is dynamically loaded libraries. Here's a fix for y'all: use static linking instead. That way each app has its own version of the lib and it doesn't share it with anyone else since the lib iis linked into the binary instead of reused when already loaded.
With memory and storage being this damn cheap, is there really a reason to continue to use dynamic linking?
(Score: 2) by Pino P on Sunday August 20 2017, @09:47PM
Memory is cheap, but replacing the rest of the device to upgrade said memory isn't. If each app package contains a redundant copy of a substantial fraction of the operating system libraries, then what do you recommend for the user of a device with 8 GB eMMC storage and 1 GB or 2 GB RAM?
Memory is cheap, but last-mile Internet connections aren't. What do you recommend when a security vulnerability is discovered and corrected in a library, but the user is behind a harshly metered cellular or satellite Internet connection that makes it expensive to re-download tens or hundreds of MB for each of a dozen apps that use a particular library?
(Score: 2) by BasilBrush on Sunday August 20 2017, @05:08PM (7 children)
The Title says smartphones. It doesn't become clear to nearly the end that this is specifically an Android problem. Not iOS.
Hurrah! Quoting works now!
(Score: 2) by Pino P on Sunday August 20 2017, @09:52PM (6 children)
If an iPhone user has installed apps that use a particular library that total 1 GB, and there's a security update for that library, how much data does the App Store have to download on the user's behalf through a metered connection to apply this security update to all such apps?
(Score: 2) by BasilBrush on Monday August 21 2017, @12:12AM (5 children)
Really? You're trying to make up a scenario for saving some bandwidth in order to excuse an Android security flaw? LOL.
The answer is that 1GB is not a realistic size for a library. The only shared libraries are those built in to iOS. Each app is separate and has it's own libraries. And app upgrades are deltas, so the bandwidth is not easily predictable. But any updates over 100MB will only happen over WiFi. And if you want you can set it so all updates are done over wifi.
- There's nothing there that justifies the Android security flaw.
Hurrah! Quoting works now!
(Score: 2) by Pino P on Monday August 21 2017, @06:10PM (4 children)
This at least means 33 different apps averaging 30 MB won't cause 990 MB of downloads. Thank you for clarifying.
A home Wi-Fi network's upstream connection to the Internet is also metered. Satellite and home cellular tended to run $5/GB last I checked.
(Score: 2) by BasilBrush on Monday August 21 2017, @10:10PM (3 children)
Metered WiFi? Where do you live? You are getting ripped off.
Hurrah! Quoting works now!
(Score: 2) by Pino P on Tuesday August 22 2017, @03:28PM (2 children)
I live in the service area of Xfinity Internet by Comcast has a 1000 GB/mo cap. But someone in another online community I'm in lives on a mountain and is thus stuck with satellite. Satellite and fixed cellular Internet tend to have a cap on the order of 10 to 20 GB/mo, as does DSL in some rural areas [communitynewspapergroup.com] (via the green site [slashdot.org]).
Agreed. The U.S. ripped off its citizens by handing out subsidies to last mile ISPs without attaching strings of universal coverage. This left rural areas and markets with restrictive utility right-of-way ordinances (such as Seattle) with inferior home Internet connections.
(Score: 2) by BasilBrush on Tuesday August 22 2017, @07:58PM (1 child)
That sucks.
I'm in the UK. Broadband is unlimited data.
Cellular data will be metered for cheaper deals, but pay about £35 a month ($45) and you can get unlimited data, even with no contract.
Hurrah! Quoting works now!
(Score: 2) by Pino P on Monday August 28 2017, @06:32PM
Some U.S. cellular carriers offer unmetered data, but as I understand it, the plan applies to a single device rather than tethering. So you get unmetered data on your iPhone, but not on the iPod touch, iPad, or Mac that uses it as a hotspot. And unmetered plans give minimum priority to a subscriber's packets or even cut the subscriber back to EDGE starting at 25 GB or so.
From "LTE Internet Installed" by Verizon Wireless [verizonwireless.com]: 10 GB/mo is $60/mo, 20 GB/mo is $90/mo, 30 GB/mo is $120/mo, and 40 GB/mo is $150/mo, with overages at $10/GB.
This is one reason why Apple's delta updates are so important.