Gmail app hack: Why it's unlikely to derail your BYOD plans

Davey Winder takes a closer look at last week's news about the 92 per cent success rate of the Gmail app hack

BYOD

I'm not playing Buzzword Bingo this week, but I am going to mention BYOD (or Bring Your Own Device, if you prefer) and - as enterprises around the globe will testify - plenty of people do.

The explosion in using consumer devices in the workplace should not have caught anyone by surprise. When such devices catch up with, and in many cases surpass, business kit in terms of sheer power, flexibility and cost, then BYOD becomes a no-brainer. This is a good phrase, as it also sums up what appears at first glance to be some very worrying security news that broke this time last week.

The story claims the mobile Gmail app can be hacked with an impressive 92 per cent success rate. The fact research scientists at a couple of US universities have demonstrated a method by which it's possible, across Android, iOS and Windows platforms no less, to obtain personal data including passwords is surely a nail in the coffin of BYOD?

I'm not convinced, despite the shared-memory side channel-using 'UI state interference attack' being technically very interesting indeed. My 'meh' mode is activated because, practically speaking, it's much less interesting.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Here's the lowdown: a user downloads multiple apps, they all run on the same shared platform, and it's possible for one of those apps to employ that memory side-channel which is found in just about every GUI to access the others.

It was possible to do this 92 per cent of the time with Gmail. Shocking stuff huh? Not as shocking as the detail of what is actually required to get this to work.

First, the app that allows this to happen has to be installed. That's an unsigned app, and one that's carrying malicious code. The kind of app that would be prohibited by any half-decent enterprise BYOD policy, and avoided by any half-brained employee who wanted to keep their job.

However, even allowing for the fact such an app may get installed via a rogue app store or  by an idiot user, even then attack success is not a given.

Secondly, on the 'things that are required for this exercise in intellectual masturbation to work' list is the attack would have to take place at the precise, exact, same moment the user was performing the action to be accessed using the target app.

Throw in the third requirement, that all of this is done without user knowledge at any point, and it becomes startlingly clear that in the real world (outside of the rubber walls of the research labs) it's an attack that is very unlikely ever to be successfully pulled off.

Advertisement - Article continues below

This reminds me of something very similar that I was writing about back in 2012, for our sister publication Cloud Pro, under the title of 'Cryptography attack: side-channel cloud threat is all nerd and no knickers.'

Although the side-channel threat is obviously made a lot easier on a mobile device, with regards to the requirement to be running on the same platform at the same time, I stand by the gist of what I said back then. Namely, that if you are an enterprise which follows basic security best-practice strategies, including BYOD policy implementation, then you can move on as there's really nothing to see here except fear, uncertainty and doubt.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/email-clients/26076/how-to-recover-deleted-emails-in-gmail
email delivery

How to recover deleted emails in Gmail

20 Jun 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/email-providers/30214/how-to-delete-a-gmail-account
email providers

How to delete a Gmail account

15 Jul 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020