There are critical security weaknesses in Apple’s OS X and iOS that could end up exploited by a sandboxed malicious app to gain unauthorized access to other apps’ sensitive data, researchers said.
Six researchers from Indiana University Bloomington, Peking University and Georgia Tech have published a paper in which they detail the vulnerabilities.
“More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS X and URL Scheme on OS X and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote,” they said in the whitepaper.
“Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed.”
They also managed to create a malicious app that can mount cross-app resource access (XARA) attacks by bypassing OS-level protections, and which they managed to upload to the Apple App Stores despite their careful and restrictive app vetting process.
“Looking into the root cause of those security flaws, we found that in the most cases, neither the OS nor the vulnerable app properly authenticates the party it interacts with,” they said. “To understand the scope and magnitude of this new XARA threat, we developed an analyzer for automatically inspecting Apple apps’ binaries to determine their susceptibility to the XARA threat, that is, whether they perform security checks when using vulnerable resource-sharing mechanisms and IPC channels, a necessary step that has never been made clear by Apple.”
They used a scanner called Xavus to analyze 1,612 most popular MAC apps and 200 iOS apps for XARA weaknesses. The result? Over 88.6 percent of the apps ended up completely exposed to the XARA attacks.
“On the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system’s keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome; from various IPC channels, we intercepted user passwords maintained by the popular 1Password app and the secret token of Evernote; also, through exploiting the BID vulnerability, our app collected all the private notes under Evernote and all the photos under WeChat.”
Apple is aware of the flaws — they learned about them in October 2014 — but the company has done little since then to mitigate.
The paper also contains details about the nature of the XARA weaknesses, and several key design principles for avoiding them.