Thwart Man-in-the-Disk exploit on Android devices

The cybersecurity arms race keeps evolving faster and faster as threat researchers and bad actors start leveraging machine learning artificial intelligence (AI) to discover sophisticated exploits on mobile devices that now live in the Zero Trust world. CISOs need to arm themselves with powerful tools to remain viable in today’s modern work environment. This blog post describes how MobileIron Threat Defense acts as a preventative countermeasure in a multi-layered defense security strategy to help you thwart the Man-in-the-Disk attack and minimize any company data loss.


During the DEF CON 2018 security conference in Las Vegas, an exploit called Man-in-the-Disk attack  that affects all Android OS devices was revealed. Many apps write their transient installation, update, or generated data files temporarily onto the removable SD card storage which is unprotected, shared by the OS, and accessed by other apps living on the mobile device. There are no inherent protections in place to prevent the malicious sharing of these files between these apps.

What could go wrong?

Quickly connecting the dots, a bad actor using an exploit kit like malware, or a device or network threat, could do any one of the following:

  • Crash the target app, leaving a back door for the hacker to pass through
  • Scrape these files to steal private or company data
  • Sabotage other apps
  • Replace legitimate apps with malicious ones
  • Manipulate app data to completely take over the mobile device using an escalation of privileges (EoP) exploit

A real world example is a mobile or remote worker who creates a document or video that they want to upload and share with their coworkers using their messaging app. The app-generated data file is temporarily stored on the external SD card where a malicious app can then exfiltrate it to the dark web, where the stolen work data can then be sold to the highest bidder.

How to thwart Man-in-the-Disk exploit

Currently, there are no automated countermeasures to prevent this threat except to disable the hardware external storage. This would then force all temporary app files to be stored within the Android internal storage that is protected by the app’s own containerized sandbox, not shared by the OS.
So how does MobileIron UEM and Threat Defense help mitigate this type of threat? A mobile device can be configured for Android enterprise Device Owner (DO) mode to disable USB file transfer and disable external media, which thwarts this exploit from the jump. This UEM configuration setting is depicted in Figure 1 below. For Samsung devices with KNOX Standard configuration enabled, disable the SD card.

Figure 1 – MobileIron Cloud Android enterprise Device Owner Configuration

Figure 1 – MobileIron Cloud Android enterprise Device Owner Configuration


MobileIron Threat Defense adds an additional layer of security by providing always-on detection, notification, and remediation of any artifacts of the Man-in-the-Disk exploit such as:

  • The “App reads files from the SD card” vulnerability
  • Suspicious Android app

Threat Defense can then remediate this threat by applying quarantine compliance actions.


Without any security controls in place for users of popular apps like Fortnite and the Xiaomi Browser, the newly discovered Man-in-the-Disk exploit can lead to private data exfiltration and potentially worse things happening to a user’s Android device or the networks to which it’s connected to access data and cloud services.  MobileIron Threat Defense acts as a preventative countermeasure in a multi-layered defense security strategy to help you thwart a Man-in-the-Disk attack and minimize any company data loss.



James Saturnio

James Saturnio

Senior Lead Technical Market Adviser at MobileIron

About the author

James Saturnio is a Senior Lead Technical Market Adviser at MobileIron. He immerses himself in all things cybersecurity and has over 25 years’ experience in this field. He has been with MobileIron for over 6 years, and previously worked at Cisco Systems for 19 years. While at Cisco, he worked as a TAC Engineer, and then as a Technical Leader for the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.