Some 88.6% of iOS and OS X apps using resource-sharing mechanisms and IPC channels are completely exposed to unauthorized cross-app resource access, or XARA, attacks, according to a report by university researchers from Indiana University, Georgia Tech and Peking University.
“The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed. Such findings, which we believe are just a tip of the iceberg, will certainly inspire the follow-up research on other XARA hazards across platforms,” the researchers say. “The new understanding about the fundamental cause of the problem is invaluable to the development of better app-isolation protection for future OSes.”
Critical system services and channels, including the keychain, WebSocket and Scheme, can all be exploited to gain access to other apps` resources, and even the Apple Sandbox on OS X can be cracked, exposing an app`s container directory, they concluded.
The team succeeded in uploading malware to Apple’s app stores, passed control processes without detection, installed malware on the victim’s device and raided the keychain to steal passwords for services including iCloud and the Mail app stored within Google Chrome. Compared to OS , iOS is more secure as it does not support credential sharing.
These attacks could lead to “leaks of user passwords, secret tokens and all kinds of sensitive documents,” the researchers said. “Our research shows that fundamentally the problem comes from lack of authentication during app-to-app and app-to-system interactions, and further proposes new techniques to detect and mitigate such a threat.”
Lead researcher Luyi Xing complied with Apple’s request to withhold publication of the research for six months, but had not heard back as of the time of writing, according to The Register. They say the vulnerabilities are still present in Apple’s software, and their study will likely be used by cyber criminals looking to earn money. Apple did not comment on that.
The researchers ran their analyzer on 1,612 of the most popular Mac apps and 200 iOS apps.
tags
Former business journalist, Razvan is passionate about supporting SMEs into building communities and exchanging knowledge on entrepreneurship.
View all postsDecember 19, 2024
November 14, 2024