We have previously discussed an Android vulnerability that may lead to user data being captured or used to launch attacks. We discovered that the popular Android app for Evernote contained the said vulnerability. We disclosed the details to Evernote, and they took action by issuing an update to the Android version of their app. Evernote has added additional controls to protect user data in Evernote for Android 5.8.5. Android users who are running versions below 5.8.5 should update to the latest version.
The Content Providers Vulnerability
The patched vulnerability is related to the Android component that stores application data. This component has an attribute (android:exported) which may allow other apps to read or write certain data on the affected app.
The previous version of Evernote has defined two permissions to protect the content provider that is used to store almost all of the user’s data. However, the protection level of these two permissions has been set as “normal,” which means other applications on the device can be granted these two permissions.
Figure 1. Sample Evernote entry
Figure 2. Content shown by exploiting the content provider vulnerability
Cybercriminals may create malicious applications that may be used to capture the data stored in the Evernote app. For users who rely on Evernote to store sensitive information such as user accounts and passwords, this could lead to data theft, identity fraud, and more.
Exposed, Unencrypted Data
Apart from the vulnerability explained above, we’ve also found another vulnerability that may allow malicious apps to see all the notes in the affected device because of where the notes are stored.
The Evernote app stores all the user’s notes in external storage under the directory /sdcard/Android/data/con.evernote/files/. Unfortunately, the files stored in this folder are not encrypted and can be read by other apps.
Figure 3. Sample note
Figure 4. The note is accessed by exploiting the SD card vulnerability
The Android OS version of the affected device also affects the amount of access given to apps. For Android 4.3 and earlier versions, an app doesn’t even require special permission to access the said folder. For Android 4.4 and later versions, the READ_EXTERNAL_STORAGE permission is required. However, this permission is common for most apps so a malicious app requesting this permission will not arouse suspicion.
Malicious users can write a simple code snippet to read/write files stored by the said app and inject it to repackaged applications that have the READ_EXTERNAL_STORAGE permission. Attackers can then use these repackaged apps to trick users into giving them the said permission.
We are disclosing this information in order for developers who may have likewise incorrectly implemented this external storage provision to modify their apps. Developers should also define their permissions in the signature level to protect their important components. We also encourage developers to implement encryption for any content the app creates, handles, and transmits. If possible, any sensitive information should not be stored in external storage.
We have notified Evernote of this new vulnerability. We are not currently aware of any active attacks using this flaw.