Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X

Keychains raided, sandboxes busted, passwords p0wned, but Apple silent for six months


Dire straits

"The consequences are dire," the team wrote in the paper.

Some 88.6 per cent of 1,612 OS X and 200 iOS apps were found "completely exposed" to unauthorized cross-app resource access (XARA) attacks allowing malicious apps to steal otherwise secure data.

Xing says he reported the flaws to Apple in October 2014.

Apple security bods responded to the researchers in emails seen by El Reg expressing understanding for the gravity of the attacks, and asked for at least six months to fix the problems. In February, the Cupertino staffers requested an advanced copy of the research paper.

Google's Chromium security team was more responsive, and removed keychain integration for Chrome, noting that it could likely not be solved at the application level.

AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks nor make the malware "work harder" some four months after it was warned of the vulnerabilities. ("Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem," said AgileBits's Jeffrey Goldberg in a blog post today.)

The team's work into XARA attacks is the first of its kind; Apple's app isolation mechanisms are supposed to stop malicious apps from raiding each other. The researchers found "security-critical vulnerabilities" including cross-app resource-sharing mechanisms and communications channels such as the keychain, WebSocket and Scheme.

"Note that not only does our attack code circumvent the OS-level protection but it can also get through the restrictive app vetting process of the Apple Stores, completely defeating its multi-layer defense," the researchers wrote in the paper.

They say almost all XARA flaws arise from Apple's cross-app resource sharing and communication mechanisms such as keychain for sharing passwords, BID based separation, and URL scheme for app invocation, which is different from how the Android system works.

Their research, previously restricted to Android, would lead to a new line of work for the security community studying how the vulnerabilities affect Apple and other platforms.

Here's the boffins' description of their work:

Our study brings to light a series of unexpected, security-critical aws that can be exploited to circumvent Apple's isolation protection and its App Store's security vetting. The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed.

Such findings, which we believe are just a tip of the iceberg, will certainly inspire the follow-up research on other XARA hazards across platforms. Most importantly, the new understanding about the fundamental cause of the problem is invaluable to the development of better app isolation protection for future OSes.

In-depth technical details are available in the aforementioned paper. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022