Gmail, other apps easily hacked with 92 percent accuracy, say researchers

Scientists have developed a novel method that allowed them to successfully hack into Gmail with up to 92 percent accuracy. A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

The researchers tested the method and found it was successful between 82 per cent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate. The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system.

The researchers believed there was a security risk with so many apps being created by so many developers. Once a user downloads a bunch of apps to their smartphone they are all running on the same shared infrastructure, or operating system.

“The assumption has always been that these apps can’t interfere with each other easily,” Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside said. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user,” said Qian.

The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone. Once that app is installed, the researchers are able to exploit a newly discovered public side channel – the shared memory statistics of a process, which can be accessed without any privileges.

The researchers monitor changes in shared memory and are able to correlate changes to what they call an “activity transition event,” which includes such things as a user logging into Gmail or taking a picture of a check so it can be deposited online.

Augmented with a few other side channels, the authors show that it is possible to fairly accurately track in real time which activity a victim app is in.

There are two keys to the attack. One, the attack needs to take place at the exact moment the user is logging into the app or taking the picture. Two, the attack needs to be done in an inconspicuous way. The researchers did this by carefully calculating the attack timing.

Why I won't switch to Windows Phone:

Back in June, I wrote about my time with the Lumia 630, and lamented the lack of apps available in the Windows Store.

Since then, I've been using the Lumia 1320. It was a dual-purpose test: first to force myself to use a phablet - this thing is huge - and second to really use Windows Phone apps seriously. I'm going to leave the phablet experience for another time and talk here about Windows Phone again.

Much to the surprise of everyone at Tech Advisor and surely plenty of Windows Phone owners, a number of new apps have appeared over the last few months, notably Fitbit.

One of the biggest issues I had with missing apps was that I couldn't use my Fitbit One - nor any other activity tracker - with Windows Phone. Researching the problem I found that even in Windows Phone 8 the Bluetooth stack, as it's known, still wasn't up to scratch. That's fixed in Windows Phone 8.1 (about time, Microsoft), and it has meant that synching with Bluetooth LE devices such as the Fitbit is now possible.

That's no consolation for Nike FuelBand or Jawbone UP owners, though. With a bit of luck, there will be official apps soon as, amazingly, Nike finally released a FuelBand app for Android about a month ago (about time, Nike).

I was also pretty happy to discover that apps for the two banks I bank with are available on the Windows Store. In fact, we've been keeping a list of missing apps for Windows Phone and have been able to cross out about half of them over the last few months. Happy days.

Well. Not quite. The problem, dear reader, is that it isn't enough to be able to tick these apps off our list. Right from the start, Microsoft was keen to boast about numbers. At the launch of Windows Phone 8 in 2012, Joe Belfiore boasted that Windows Phone owners now had access to 46 out of the top 50 apps (he conveniently forgot to mention that it didn't apply to those who bought handsets running Windows Phone 7 because, oh, they wouldn't get the upgrade to Windows Phone 8.)

However, with apps, it's quality over quantity and that's where Windows Phone really falls down for me. I fired up the Y-cam HomeMonitor app expecting exactly the same set of features as on my iPhone. But no. Although I can view the live feed from the camera and watch recorded clips from the cloud service, that's it. There are no options to turn the camera on or off, to enable or disable motion detection, nor mute alerts.

It's a similar story in other apps. Even in the much anticipated Fitbit app, there's no way to re-order or remove the various stats on the home screen - it's a small detail, but it's a theme that seems to run through every app I've used.

It's hard to tell whether I should be blaming Microsoft or the app developers, since some of the features may not be possible due to limitations with Windows Phone 8.1, or it could be that the developers simply aren't putting in as much effort as with iOS.

The bottom line is that, for the user, the experience is inferior to an iPhone in many ways. Don't get me wrong: there are benefits to having Windows Phone 8, such as the ability to pin the London Bridge departures information to the home screen (complete with live tile) rather than merely the app itself. But, after more than two months of using Windows Phone 8.1, I'm itching to go back to iOS.