Connect with us

Hi, what are you looking for?


Mobile & Wireless

App-in-the-Middle Attacks Bypass Android Sandbox: Skycure

The Android sandbox environment previously known as Android for Work is susceptible to “app-in-the-middle attacks” that put enterprise data at risk, Skycure security researchers say.

The Android sandbox environment previously known as Android for Work is susceptible to “app-in-the-middle attacks” that put enterprise data at risk, Skycure security researchers say.

The secure framework, currently referred to as “work features in Android,” is meant to address the BYOD (Bring Your Own Device) approach that brings millions of personal devices into business environments. Introduced in Android 5.0 Lollipop, the feature aims to separate business and personal data on the same device through the use of a second, business profile managed by IT administrators.

Having all of the business applications, email and documents managed and secured within the business profile but leaving the personal profile unrestricted would provide users a sense of increased privacy, because admins would not be able to manage or monitor their personal apps. The feature leverages the mechanism of user separation.

According to Skycure, while Android for Work was designed as an additional sandbox to prevent apps from outside the container from accessing data inside it, two ‘app-in-the-middle’ attacks allow malicious apps in the personal profile to break this wall. Thus, Android for Work is only a seemingly secure framework, and sensitive enterprise information can be accessed and stolen from the personal profile, they say.

The two attacks, however, prey on the weakest link in the security chain, namely the human factor. User interaction is required for both attacks to be successful, the researchers have discovered.

The first such attack, the security firm explains, relies on a malicious application in the personal profile acquiring permissions to view and take action on all notifications, including those from the sandboxed environment. Because Notifications access is a device-level permission, a malicious app would immediately have access to sensitive information such as calendar meetings, email messages and other information in these notifications.

“This capability circumvents the secure separation logic between personal and work profiles, which is offered by Android for Work. An app-in-the-middle attack may manipulate a user to enable the Notification Access permission (even for a legitimate function in the personal persona) in order to gain access to information in the work profile. If the malicious app is designed to transmit the information viewed in notifications to a command and control server, then the information contained in notifications is no longer secure,” Yair Amit, CTO & Co-Founder at Skycure, explains in a blog post.

Advertisement. Scroll to continue reading.

The security company notes that an attacker could initiate a “forgot password” process on some enterprise systems and hijack the subsequent on-device notification, thus receiving full enterprise access, without being necessarily restrained to the mobile device. By immediately dismissing the notification and archiving the recovering email through the Android Notifications API, the malicious app could prevent the user from noticing the attack.

“This presents a serious threat to the use of Android for Work as a secure sandbox for mobile work productivity, as EMM [Enterprise Mobility Management] solutions have no mechanism to recognize or defend against it. The attacker may even capture 2-factor authentication and administrators will not have any visibility of the theft,” Amit says. The company also published a video to demonstrate this attack.

The second app-in-the-middle attack leverages Android’s Accessibility Service, which was designed to offer user interface enhancements when users interact with their device. Because this service has access to “virtually all content and controls, both reading and writing, on the device,” an application in the personal profile with Accessibility permissions could access applications executed in the sandbox, researchers say.

As detailed in this video demonstration, because the attack resides in the personal profile, which isn’t monitored or controlled from the work profile, IT administrators can’t detect the exposure of sensitive information if the malicious application uses the Accessibility Service, researchers say. However, for such an attack to be possible, an application would have to register as an Accessibility Service and manipulate the user to grant the access.

According to the security company, Android engineers have implemented an API for the whitelisting of Accessibility Services, which EMM vendors can implement in their Android for Work administration interfaces. This API, the company notes, can be circumvented either by a malicious app that has the same package name as a whitelisted legitimate app, or by an existing malicious app-in-the-middle Accessibility service that tricks the user into whitelisting it (because non-system Accessibility services already enabled on the device have to be whitelisted).

“The interesting thing about both of these app-in-the-middle methods of defeating the Android for Work profile separation is that the device and the Android operating system remain operating exactly as designed and intended. It is the user that must be tricked into placing the software on the device and activating the appropriate services that allow the malware access to sensitive information,” the security firm says.

Skycure notes that the Android team has been contacted on this matter but that their investigation determined that the aforementioned application behavior is intended, and not considered a security vulnerability. However, they agreed that the findings should be made public, “to raise awareness to the exposure.” The danger related to these issues, the company says, is the illusion of security that the sandbox offers.

“The attack flows that we uncovered exploit valuable capabilities of Android in a way that transforms these features into a major security risk to organizations that utilize Android for Work and expect it to stay secure. This is a user-experience vs. security tradeoff dilemma. We appreciate Google’s commitment to security, but strongly believe that more work needs to be done in order to better protect organizations against App-in-the-Middle attacks,” Amit told SecurityWeek in an email.

Related: Most Android Devices Prone to Accessibility Clickjacking Attacks

Related: Banking Trojans Abuse API to Evade Android Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.