When Tapping a Photo Deletes Your Phone’s Storage

Sebastian Roth, a junior professor of cybersecurity at the University of Bayreuth, researches security vulnerabilities in mobile operating systems, websites, and firewalls. Together with researchers at TU Vienna, he has now reported a new vulnerability in Android. The new attack technique is called "TapTrap": it can trick Android users into unknowingly confirming, for example, security prompts by tapping around on the screen. In an interview, Roth explains what "TapTrap" is all about and what role AI plays in security vulnerabilities, hacking, and programming.

UBTaktuell: What’s behind this new security flaw affecting Android users?

Sebastian Roth: The vulnerability allows a (malicious) app to exploit screen animations without requiring any permissions, tricking users into performing certain actions. Using these animations, the app can secretly open another app—such as system settings or a permission prompt—and then render it invisible. The attack can then guide the user to tap specific areas of the screen, unknowingly triggering actions in the hidden app, such as granting camera access or even deleting device data.

UBTaktuell: Are iOS devices more secure than Android ones?

Sebastian Roth: You can’t definitively say that iOS devices are more secure than Android devices—or vice versa. It may seem like Android is less secure simply because you hear more about its issues. In my view, that’s mainly because Android is open-source, unlike iOS, which makes it much easier for researchers to investigate problems within the Android ecosystem. Some argue that this makes Android more secure, while others claim iOS is safer due to its closed nature. I believe it’s impossible to make a blanket statement either way, especially given the limited data available.

UBTaktuell: What can smartphone users do? How vulnerable are they to hacked devices?

Sebastian Roth: In the specific case of TapTrap, users can protect themselves—until Android resolves the underlying issue—by disabling system-wide animations in Android’s accessibility settings. This prevents the attack, although it also disables animations on the device. It doesn’t affect app functionality, but transitions between apps may appear less smooth. More generally, users should always ensure their operating system (whether iOS or Android) and all apps are up-to-date. Manufacturers regularly respond to security reports and release updates. Unfortunately, depending on the device model, up to now users have often only received security updates for a short period. The EU’s new Ecodesign Directive now requires manufacturers to provide updates for at least five years after the sale of a device is discontinued. I hope this will lead to more users installing the latest security updates and keeping their smartphones in use for longer.

UBTaktuell: What are typical vulnerabilities in modern smartphones or web systems?

Sebastian Roth: Vulnerabilities vary widely. One recurring issue in both cases is insecure communication between a website or app and its server. Outdated software is also a common problem. If smartphones or apps lack the latest security updates, or if websites use outdated and vulnerable software libraries, attackers often find easy entry points. On the user side, poorly chosen passwords or reusing the same password across multiple services is a major risk. Password manager software, switching to passkeys, and enabling multi-factor authentication can significantly improve protection. But it’s not just users—developers also have a lot of work to do to make secure coding practices and the use of security mechanisms easier, ultimately making software more secure overall.

UBTaktuell: Do you work theoretically, or do you ever hack a website just for fun?

Sebastian Roth: In our research, we need to support our hypotheses with empirical data. For example, when investigating a security issue or a defence mechanism, we typically scan the most commonly used websites (or apps) and examine the issue within that dataset. This not only helps us assess the scale of a problem but also makes our findings more transparent and reproducible. At the same time, this focus means we often overlook smaller—but still very important—applications, such as websites of local banks or utility providers. There’s excellent work being done outside of purely academic conferences: for instance, at last year’s Chaos Computer Club meeting, Lilith Wittmann presented a brilliant talk on “hacking prisons,” offering insights into the software stack used in correctional facilities.

UBTaktuell: Where do you draw the line between legitimate research and illegal intrusion?

Sebastian Roth: This is a very complex and political issue. The fact that security researchers in Germany frequently face legal trouble and are not protected by law—essentially risking time in prison—is deeply troubling. Researchers and hacktivists do incredibly important educational work. Instead of exploiting or selling vulnerabilities, we report them to the affected parties so that as many end users as possible can be protected. However, current legislation (such as the “hacker paragraph” in the German Criminal Code) does not distinguish between malicious and well-intentioned attacks. As a result, instead of receiving a “thank you for letting us know,” you often get a letter from a lawyer. There’s still a lot of political work to be done to make legitimate research legally safer.

UBTaktuell: What motivated you to get involved in hacking? Was there a key moment?

Sebastian Roth: Honestly, I got into cybersecurity because I couldn’t decide which minor subject to take during my computer science bachelor’s degree—so I switched to the cybersecurity bachelor’s programme at Saarland University, which didn’t require a minor. My passion for IT security really took off thanks to the hands-on courses where we were allowed to attack IT systems, and through the Capture-the-Flag team “saarsec” at Saarland University and the CISPA Helmholtz Centre for Information Security. I also had the opportunity early in my studies to work as a student researcher thanks to Sascha Fahl, Ben Stock, and Michael Backes at CISPA, which gave me insight into IT security research. That’s when I realised how incredibly diverse the field is. There are overlaps with electrical engineering when working close to hardware, with psychology and philosophy when researching developers or end users, with law when studying IT criminal law, with mathematics when exploring cryptography, and so on. In short, IT security is a field where I’ll never get bored.

UBTaktuell: How will hacking change through AI?

Sebastian Roth: While some AI-based systems can help analyse the massive amounts of data flowing through, say, a firewall, or trap attackers in a kind of maze to waste their time, the use of AI also has its downsides. There’s currently a dangerous trend of generating software using language models instead of developers. This poses risks because these models are trained on data and code from across the internet, which means they inherit the same vulnerabilities and bugs found in that code. Researchers at Stanford, for example, showed in a study that developers using AI assistants were more likely to introduce security flaws into their code—and yet were more confident that their insecure software was safe, compared to developers without AI assistance. So, in the near future, we’re likely to see an increase in poorly written software with security vulnerabilities. Additionally, language models have a design flaw that makes them susceptible to attacks where unintended commands can be injected or security restrictions bypassed. You could say that AI gives us new tools to defend systems—but also opens up a whole new world of potential vulnerabilities to explore.