Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    We have previously discussed an Android vulnerability that may lead to user data being captured or  used to launch attacks. We discovered that the popular Android app for Evernote contained the said vulnerability. We disclosed the details to Evernote, and they took action by issuing an update to the Android version of their app. Evernote has added additional controls to protect user data in Evernote for Android 5.8.5. Android users who are running versions below 5.8.5 should update to the latest version.

    The Content Providers Vulnerability

    The patched vulnerability is related to the Android component that stores application data. This component has an attribute (android:exported) which may allow other apps to read or write certain data on the affected app.

    The previous version of Evernote has defined two permissions to protect the content provider that is used to store almost all of the user’s data. However, the protection level of these two permissions has been set as “normal,” which means other applications on the device can be granted these two permissions.


    Figure 1. Sample Evernote entry


    Figure 2. Content shown by exploiting the content provider vulnerability

    Cybercriminals may create malicious applications that may be used to capture the data stored in the Evernote app. For users who rely on Evernote to store sensitive information such as user accounts and passwords, this could lead to data theft, identity fraud, and more.

    Exposed, Unencrypted Data

    Apart from the vulnerability explained above, we’ve also found another vulnerability that may allow malicious apps to see all the notes in the affected device because of where the notes are stored.

    The Evernote app stores all the user’s notes in external storage under the directory /sdcard/Android/data/con.evernote/files/. Unfortunately, the files stored in this folder are not encrypted and can be read by other apps.


    Figure 3. Sample note


    Figure 4. The note is accessed by exploiting the SD card vulnerability

    The Android OS version of the affected device also affects the amount of access given to apps. For Android 4.3 and earlier versions, an app doesn’t even require special permission to access the said folder. For Android 4.4 and later versions, the READ_EXTERNAL_STORAGE permission is required. However, this permission is common for most apps so a malicious app requesting this permission will not arouse suspicion.

    Malicious users can write a simple code snippet to read/write files stored by the said app and inject it to repackaged applications that have the READ_EXTERNAL_STORAGE permission. Attackers can then use these repackaged apps to trick users into giving them the said permission.

    We are disclosing this information in order for developers who may have likewise incorrectly implemented this external storage provision to modify their apps. Developers should also define their permissions in the signature level to protect their important components. We also encourage developers to implement encryption for any content the app creates, handles, and transmits. If possible, any sensitive information should not be stored in external storage.

    We have notified Evernote of this new vulnerability. We are not currently aware of any active attacks using this flaw.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice