Skip to main content

A closer look at the Gmail smartphone app hack and its wider implications

The researchers who hacked into Gmail on Android were able to show that apps can interfere with each other and that's the really scary part.

We may become inured to any information about the hacking of our personal applications and data. It's going to be simple because the urgency of security failures is being reduced by the number of points of failure.

Yesterday, the news was dominated by the story that Gmail was hacked on an Android app by getting one app to effectively spy on another one.

The attack actually uses a method that bypasses the "sandboxing" of apps within the platform. Essentially, apps aren't supposed to be able to interfere with each other, so researchers at the University of Michigan and NEC Labs America hacked the User Interface (UI).

In the paper which was delivered at the USENIX Security Symposium in San Diego the researchers pointed out that the security of an Android phone's UI can be compromised by background apps.

Related: Should you use antivirus protection on your Android device?

The following videos amply demonstrate the hijacking of the phone using the UI. H&R Block, Chase, and NewEgg are shown here but not Gmail.

Data from the Graphical User Interface (GUI) is stored in memory that is shared by all apps and in six out of seven popular Android apps, the researchers showed that they could compromise that GUI data for other apps and steal the user's input data.

So, essentially, the background app from the researchers has found a way to figure out what is happening on your phone screen by looking at the memory configuration of your display. You input your login and password into an app and the researchers get to see it, and they did the vast majority of the time.

So, this isn't just a case of a Gmail vulnerability. That makes for a great headline.

Related: The best Android security apps

But I would be more concerned about having my banking app hacked or the fact that this is a method that exposes almost any app running within the system that is using the standard processes for the UI and GUI of the phone.

The researchers were tracking activities and even hijacking and peeking into the camera.

The good news is that the researchers have offered ways to eliminate the "side channel" where the data they accessed is stored, and ways to make the system more secure.

Read more: 4 Android security settings you should use

Check out the paper by the researchers: Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks.

This was a much bigger and scarier attack than getting into Gmail, even though that is pretty scary in itself.