A serious flaw in Android Google’s Admin Console, that was providing third-party applications access across sandbox restrictions has been recently discovered. The flaw could thus in theory, enable third-party apps the ability to slip through restrictions and read arbitrary files through symbolic links.
A post by Rob Miller, senior security researcher, MWR Labs on Full Disclosure, outlined the issue,
An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a web-view within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox.
In English, not something we would want to happen. A third-party application with intentions less than honourable, could in effect scoop out all your private data out of the Google Admin sandbox.
According to the post, once the app is installed, setup_url is triggered by a link being sent causing ResetPinActivity, which activates the WebView console under the privileges of the Google Admin panel. From here, an attacker could lace HTML inside the link leading to delay, which in turn would enable them to delete the associated file and replace it with a symbolic link of the same name. As per the Full Disclosure post,
After one second the iframe in the WebView will load the file, which will now point to one of its own files. Because the parent and child frames have the same URL, the Same Origin Policy allows the parent frame to query the contents of the child frame. This means that the HTML that the attacker controls can read from the files loaded into the iframe and extract their data.
The flaw was first brought to Google’s notice on the 17th of March after which the company requested two weeks to develop and release a patch update. However, the company overshot its own deadline and nothing was done to amend the situation even after the 90 days deadline set by the company was passed. In fact, Google even asked for a delayed public disclosure once MWR Labs requested an status update on the promised patch that was supposed to plug the hole in June.
That is where situations stand till date, with no updated version of the Google Admin application looming on the horizon. All users can do for now to protect themselves is to make sure that devices with Google Admin installed on them should avoid third-party applications which are not trusted.
A Google spokesperson, while speaking to ZDNet said,
We thank the researchers for flagging this to us. We have addressed the issue in the Google Admin app and the fix has been released. In order for this issue to occur, a malicious app would need to be installed on the device. As far as we know, no one has been affected.