Unpatched OS X, iOS flaws allow password, token theft from keychain, apps

Six researchers from Indiana University Bloomington, Peking University and Georgia Tech have recently published a paper in which they detail the existence of critical security weaknesses in Apple’s OS X and iOS – weaknesses that could be exploited by a sandboxed malicious app to gain unauthorized access to other apps’ sensitive data.

“More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS X and URL Scheme on OS X and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote,” they noted.

“Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed.”

They also managed to create a malicious app that can mount these so-called cross-app resource access (XARA) attacks by bypassing OS-level protections, and which they managed to upload to the Apple App Stores despite their careful and restrictive app vetting process.

“Looking into the root cause of those security flaws, we found that in the most cases, neither the OS nor the vulnerable app properly authenticates the party it interacts with,” they explained. “To understand the scope and magnitude of this new XARA threat, we developed an analyzer for automatically inspecting Apple apps’ binaries to determine their susceptibility to the XARA threat, that is, whether they perform security checks when using vulnerable resource-sharing mechanisms and IPC channels, a necessary step that has never been made clear by Apple.”

They used this scanner, which they dubbed Xavus, to analyze 1,612 most popular MAC apps and 200 iOS apps for XARA weaknesses. The result? Over 88.6% of the apps are completely exposed to the XARA attacks.

“The consequences are dire,” they pointed out. “For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system’s keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome; from various IPC channels, we intercepted user passwords maintained by the popular 1Password app and the secret token of Evernote; also, through exploiting the BID vulnerability, our app collected all the private notes under Evernote and all the photos under WeChat.”

Here is a short overview of the most popular apps/services affected (click on the screenshot to enlarge it):



Apple is aware of the flaws – they were informed of them in October 2014 – but little has been done to mitigate them since then. Other software vendors were also appraised of the situation. According to The Register, Google’s Chromium security team removed Keychain integration for Chrome, but AgileBits still hasn’t managed to find a way to prevent the attacks on its 1Password app.

The researchers themselves say that many of the issues may not be easily fixed. So, they decided to create a scanner app that will be able to detect exploit attempts on OS X until the problems can be fully addressed. More details about it can be found in the paper and, apparently, the app is quite effective.

The paper also contains details about the nature of the XARA weaknesses, and several key design principles for avoiding them.