Man-in-the-Disk

Organizations that offer employees the freedom of mobility gain some advantages, which can include better productivity or saving workplace costs by allowing employees to work from home, but doing so comes with a few security risks. Keeping enterprise security in mind, organizations need to ensure employee devices are properly managed and secured.

Mobile cyberattacks are evolving every day, especially those aimed at Android devices. With the open nature of Android, attackers can even gain root privileges for a device given the right circumstances. Security researchers at Checkpoint Software Technologies have identified a new set of mobile cyberattacks named Man-in-the-Disk  attacks that can infect Android phones and even launch denial of service (DoS) attacks.   

What’s a Man-in-the-Disk attack?

Man-in-the-Disk attacks take advantage of the nature of Android OS, specifically how Android allows developers to create apps that use external storage instead of internal storage. We’ll briefly explain why that makes a difference. 

Android supports sandboxing, which prevents apps that use internal storage from communicating with other apps. However, the open nature of Android allows third-party developers to develop apps that use external storage. As long as developers use proper security policies for protecting the data stored in external storage, there shouldn’t be an issue. The problem is, many developers, including some big names that may surprise you, have lax security policies when it comes to external storage. Checkpoint found Google Translate, Google Voice Typing, Yandex Translate, Google Text-to-Speech, and Xiaomi browsers were all vulnerable to Man-in-the-Disk attacks.  

Every Man-in-the-Disk attack starts out with the hacker tricking a user into downloading a malicious app on their Android device. Once it’s installed, this app asks for permission to access the device’s external storage. If the user grants access, the hacker can then access any files that other apps have stored in external storage. Depending on what other apps save in external storage, the hacker may be able to compromise an app’s files and cause it to crash, modify another application’s code to install a malicious app, or worse. 

Preventing Man-in-the-Disk attacks

As mentioned by Google, sandboxing is likely the best option here. But since you can’t control how every app your business uses is developed, the more comprehensive solution to these external storage threats is defining strong security policies at the OS level.  

ManageEngine Mobile Device Manager Plus can help with Man-in-the-Disk attacks by giving you the option to unmount a device’s SD card; this prevents apps running on that particular device from using the external storage space. Mobile Device Manager Plus also provides enhanced enterprise mobility management features for devices, applications, and mobile content.  

Download Mobile Device Manager Plus now to secure your mobile workforce.

    • Hey Markus,

      Adoptable storage can help with videos or photos, but with apps, you need app developers permission to store them in adoptable space. This MITD attack is a space, where hackers inject malicious code during the app update (app stored in external storage). Adoptable storage will not make much difference here.

  1. chris

    Hi,
    Internal space is lower than external storage, and you will create storage issues quickly by unmounting SD card.
    What about activating Android For Work and set up an app’s whitelist?
    Will AFW secure the data also on external storage?

    • Hey Chris,

      AFW will assist in encrypting SD card data, and whitelisting is a different scenario here. This threat is exploited when apps stored on external storage is updated, allowing hackers to inject the malicious code into their updates, leaving the final build compromised. If the device is CYOD, try implementing policies and procedures, to make apps use only the internal space and move photos/videos to external storage. Probably try using adoptable storage as Markus suggested, to push all other info into SD Card and make the apps use internal memory.

  2. Markus

    Hi, If I choose to unmount the external storage, will the apps on the device stop working since many of them use the external storage?

    • Yes, apps that utilize the external storage will stop working. Instead switch their storage to internal and execute the same.