Researchers have announced a new side-channel attack on Android phones that allow them to infer what Web page the user is browsing.
In a paper called "Memento: Learning Secrets from Process Footprints" researchers Suman Jana and Vitaly Shmatikov from the University of Texas show that they can track subtle changes in the application’s memory footprint to a level where they can tell what Web sites someone visited on their mobile phone.
The researchers write that any Android app "can measure the memory footprint (data+stack size) or CPU scheduling statistics of another app using the standard Unix proc facility without any permissions or the phone owner’s consent." They note that that alone might not leak any details. However, in combination, with other data might. "[A]s long as temporal changes in this information are (a) correlated with the program’s secrets and (b) can be observed by the attacker" sensitive information can be inferred with a high degree of success."
For example, the researchers looked at the signatures made by browsing the top 100,000 websites as ranked by Alexa. The researchers found that "depending on the browser, between 30% and 50% of these pages are distinguishable: they produce patterns that are both stable (similar across visits to the same page) and diverse (dissimilar to visits to other pages)."
The authors conclude the "privacy risks of system isolation mechanisms are poorly understood and a worthy topic of further research."