Security researchers have found major flaws in OS X and a single one in iOS that open the door to malware. The exploits allow malicious apps that have made their way into the App Store to bypass or ignore sandbox and other security protections to grab passwords from others apps' keychain entries, steal data from other apps' private data storage, hijack network ports, and masquerade as different apps to intercept certain communications.
Apple's review process for the App Store -- both for iOS and OS X -- is supposed to prevent malware from entering its system. If that bulwark fails, the company relies on sandboxing, which prevents apps from accessing data and files other than that managed by the app, except through very tightly defined channels
However, six researchers have discovered many weak points in how Apple checks and requires apps to check on storage for apps and communication between apps. The authors called this "unauthorized cross-app resource access," which they abbreviate as XARA.
One of the authors, XiaoFeng Wang, a professor of computer science at Indiana University, said in an interview, "OS X provides a richer functionality. In this case, it becomes vulnerable."
The researchers say they notified Apple in October 2014 and twice thereafter, and were told it would take six months to repair the flaws. The authors also say Apple asked for their paper in February. (We have a request out to Apple for comment.) This is considered a "zero-day" exploit because it is immediately available to put into malware, but industry practices for disclosure were observed.
What minimizes the attack vectors presented by the researchers is that any malicious app has to get into the App Store. Unfortunately for Apple, the paper's authors were able to submit and get approved apps that exploited these weaknesses. They immediately removed them after approval, as they had had their proof of concept.
The paper details four flaws, three of which are unique to OS X. However, without substantial changes, iOS could be subject to one or two additional exploits noted if certain kinds of inter-application or system-wide data storage changes were made.
The researchers' analysis of hundreds of free apps reveals that most are vulnerable to most of these vectors of attack. Agile Bits, developer of 1Password, responded with a blog post on Wednesday, detailing what the company plans to do, and what users can do to protect themselves.
Four paths to crack
Apple's review process for the App Store -- both for iOS and OS X -- is supposed to prevent malware from entering its system. If that bulwark fails, the company relies on sandboxing, which prevents apps from accessing data and files other than that managed by the app, except through very tightly defined channels
However, six researchers have discovered many weak points in how Apple checks and requires apps to check on storage for apps and communication between apps. The authors called this "unauthorized cross-app resource access," which they abbreviate as XARA.
One of the authors, XiaoFeng Wang, a professor of computer science at Indiana University, said in an interview, "OS X provides a richer functionality. In this case, it becomes vulnerable."
The researchers say they notified Apple in October 2014 and twice thereafter, and were told it would take six months to repair the flaws. The authors also say Apple asked for their paper in February. (We have a request out to Apple for comment.) This is considered a "zero-day" exploit because it is immediately available to put into malware, but industry practices for disclosure were observed.
What minimizes the attack vectors presented by the researchers is that any malicious app has to get into the App Store. Unfortunately for Apple, the paper's authors were able to submit and get approved apps that exploited these weaknesses. They immediately removed them after approval, as they had had their proof of concept.
The paper details four flaws, three of which are unique to OS X. However, without substantial changes, iOS could be subject to one or two additional exploits noted if certain kinds of inter-application or system-wide data storage changes were made.
The researchers' analysis of hundreds of free apps reveals that most are vulnerable to most of these vectors of attack. Agile Bits, developer of 1Password, responded with a blog post on Wednesday, detailing what the company plans to do, and what users can do to protect themselves.
Four paths to crack
- Password theft via the system-wide keychain.
- Container cracking between apps, where one app can retrieve the contents of another sandboxed app's ostensibly private data store.
- Internet socket interception, which allows a malicious app to hijack the flow of traffic to an app.
- Scheme hijacking (both iOS and OS X), in which the system-wide method of launching one app from another is redirected to capture login tokens or other information.
