Mobile OS a weak link for hackers

August 25, 2014 // By Jean-Pierre Joosting
As mobile internet becomes more prevalent and PCs and laptops lose their dominance as a primary gateway to the Internet, hackers are casting their eyes on mobile operating system with a view to exploiting any vulnerabilities. This is especially pertinent as mobile carriers, manufacturers and banks start creating mobile wallets. However, researchers drawing on the experience of PCs and laptops are trying to identify such vulnerabilities first. Hopefully, this will allow vulnerabilities to be fixed before they get out of hand.

A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate.

The paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks," has been presented at the USENIX Security Symposium in San Diego. Authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.

The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. However, they haven't tested the program using the other systems.

A team of engineers have developed a method that allows them to successfully hack into apps up to 92 percent of the time. Credit: Luis Sanz.