Apps that make sloppy use of SD cards leave your phone vulnerable to hackers

News
By published

Attackers could crash apps or install malware

SD card

Android apps that make careless use of external storage (such as SD cards) could leave your phone vulnerable to hackers.

Your phone's internal storage is carefully managed – each app uses it separately, and it's protected by the Android sandbox. External storage, like SD cards, is different. It allows data to be shared between apps and doesn't have the same protection.

Researchers from Check Point Security discovered that apps that use external storage without proper security precautions leave devices vulnerable to 'Man-in-the-Disk' attacks. These could allow a hacker to install malware, prevent legitimate apps from running, and even make apps crash.

External affairs

A developer might use external storage to make it look as though their app uses less space than it actually does, to make it compatible with older devices, or to provide extra space when the phone's internal storage isn't enough.

Google provides some basic guidelines for developers who decide to do this:

  • Perform input validation when handling data from external storage
  • Do not store executables or class files on external storage
  • External storage files should be signed and cryptographically verified prior to dynamic loading

However, Check Point found several apps in the Google Play Store that ignored these rules, including two of Google's own tools: Google Translate and Google Voice Typing. Neither of these apps validated the integrity of data from external storage, and the researchers were able to exploit that vulnerability to make them crash.

They also discovered that Xiaomi Browser used external storage to store app updates. By replacing the update code, they were able to cause a different app to be installed without permission. Check Point contacted Google, which released a fix shortly after, but XIaomi chose not to act.

"From experience then, it would seem that mere guidelines are not enough for OS vendors to exonerate themselves of all responsibility for what is designed by app developers," Check Point said. "Instead, securing the underlying OS is the only long-term solution to protecting against this new attack surface uncovered by our research."

Via Wired

See more Computing News
Cat Ellis
Cat Ellis
Homes Editor

Cat is TechRadar's Homes Editor specializing in kitchen appliances and smart home technology. She's been a tech journalist for 15 years and is an SCA-certified barista, so whether you want to invest in some smart lights or pick up a new espresso machine, she's the right person to help.

Latest in Websites & Apps
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 25 (game #1156)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 25 (game #387)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
Latest in News
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Google Gemini AI
Gemini can now see your screen and judge your tabs
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
More about websites apps
NYT Strands homescreen on a mobile phone screen, on a light blue background

NYT Strands hints and answers for Tuesday, March 25 (game #387)
Quordle on a smartphone held in a hand

Quordle hints and answers for Tuesday, March 25 (game #1156)
AMD Ryzen 9950X

I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why
See more latest
Most Popular
AMD Ryzen 9950X
I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why
Ugreen \00d7 Genshin Impact Kinich Collectible Gift Box and exclusive Genshin Impact merchandise.
Ugreen reveals exclusive Genshin Impact collection and they're some of the most eye-catching charging products I've ever used
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Google Gemini AI
Gemini can now see your screen and judge your tabs
iFi iDSD Valkyrie in gold, on a beige desk
iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now