An Android app has two choices for where to put its data on a device: internal storage, where it’s safe and snug, isolated by the operating system’s sandbox, and external storage, where data can move between apps but isn't as protected. Most of the time, that setup works just fine. But when developers use the latter incorrectly, they could give hackers a crucial foothold.

That’s the focus of new research from Check Point security researcher Slava Makkaveev, who will present his findings at the DefCon security conference Sunday. By stashing the wrong things in external storage, an app can expose an Android phone to a host of potential attacks, including secret installation of malware, shutting down legitimate apps, and even potentially gaining control of a smartphone’s camera or microphone.

“This is an attack surface that hasn’t been well documented or addressed until now. Developers everywhere should be more careful in the way they’re using external storage,” says Check Point head of threat prevention Orli Gan. She adds that the majority of applications Check Point analyzed appear susceptible to this kind of attack.

That prevalence makes some sense in context; a developer’s ability to save what they want to external storage is a feature, not a bug. And for lots of use cases, it's a logical choice. When you want to send someone a photo, for instance, your camera app will write it to external storage, so that your messaging app can grab it. No harm in that.

Meanwhile, anything in internal storage gets essentially cordoned off thanks to Android’s sandboxing, preventing other apps from snooping on it. But sometimes developers use external storage when they really shouldn’t. Maybe they ran out of space, maybe they copy and pasted bad code from somewhere, maybe they’re lazy, but things like configuration files or code for their next update end up out in the open.

Check Point’s so-called man-in-the-disk attack plays out from there. A hacker would first need to get someone to install an innocuous-looking app—a limiting factor, but not insurmountable—and get them to grant the routine “External Storage” permission. Once in place, the malicious download would then opportunistically monitor everything other apps on the device are holding in external storage.

“They’re able to replace, or augment, or manipulate the content of this storage in such a way that would cause them to gain privileges on the app that’s poorly written,” says Gan.

'Developers everywhere should be more careful in the way they’re using external storage. Orli Gan, Check Point

Google does offer guidelines to developers urging them not to put sensitive code on external storage. But not only did Check Point find that many apps don’t follow that advice, Google itself isn’t immune from man-in-the-disk. The researchers found that sloppy external storage usage by Google Translate, installed on more than 500 million devices, meant that they could compromise certain files required by the app, and crash it. Google has since patched the issue, but it still provides an illustration of how wrong things can go.

“Google Translate on my phone has access to Google Camera,” says Gan. “If I’m able to crash that code, and from there I’m able to inject my code, it will now run in the privileges of Google Translate. Therefore it will have access to my camera, and I never allowed this application to have access to my camera.”

The researchers found another concerning form of vulnerability in LG Application Manager and LG World. Because of how they were using external storage, the apps could have been compromised to act as conduits for silently installing unwanted apps. LG did not respond to a request for comment.

"The issues they have outlined do not affect the Android operating system itself, but rather, third party code and applications on devices," said a Google spokesperson. "Together with Check Point, we have reached out to affected Android partners to address these issues."

At the very least, man-in-the-disk shows how operating system architecture can have unintended consequences. The permissive nature of external storage dates back to when there wasn’t much room on actual devices, necessitating SD cards to make up the difference. Now, when developers use it irresponsibly, they expose their users to potential attack. And unless Google decides to make fundamental changes to how Android handles storage—which would also potentially make some interactions with your phone more frustrating—that seems unlikely to change.

"Expecting every developer in the world out there to understand the security of what they’re developing is unrealistic,” says Gan. “Guidelines are great. Developers are also great. But they don’t necessarily go hand in hand.”

More Great WIRED Stories