Apple's defense against apps vandalizing other apps still broken, developer claims
Cupertino appears to be blasé about long-standing macOS bug, so coder has blabbed
Updated Apple last year introduced a security feature called App Management that's designed to prevent one application from modifying another without authorization under macOS Ventura – but a developer claims it’s not very good at its job under some circumstances.
"If an app is modified by something that isn't signed by the same development team and isn't allowed by an
NSUpdateSecurityPolicy, macOS will block the modification and notify the user that an app wants to manage other apps," explained Justin Sagurton of Apple’s privacy engineering team, in a video presentation at the fruity computer seller's 2022 Worldwide Developers Conference.
Alas, this particular security mechanism – available to users via System Settings -> Security & Privacy -> App Management – appears not to manage app security very well.
Last October, Jeff Johnson, who develops software for various Apple platforms through his Underpass App Company, found that sandboxed apps can bypass App Management.
A sandboxed app can modify a file that is supposed to be protected by App Management
The bug he found is similar to a bypass of Gatekeeper – a macOS feature designed to ensure that only trusted code can run on Apple computers – identified by Microsoft researchers last year.
In a blog post on Monday, Johnson describes how he was able to modify a Firefox settings file,
update-settings.ini, in TextEdit, a macOS app, to change its behavior without triggering App Management intervention.
"TextEdit is sandboxed," he explains in his post. "Ironically, sandboxing was designed to prevent attacks, but in this case it allows an attack. That's the bug, the vulnerability. A sandboxed app can modify a file that is supposed to be protected by App Management."
But this isn't just about a file integrity risk posed by a local attacker. Johnson's proof-of-concept exploit [ZIP] consists of a non-sandboxed app embedded within a sandboxed one. When downloaded from the internet, it prompts the user for a file path and then delegates file alteration to the embedded sandboxed app.
So the App Management hole could be used as part of an attack chain initiated through a downloaded malicious file.
- Apple demands app makers explain use of sensitive APIs
- Apple squashes kernel bug used by TriangleDB spyware
- Apple's latest security feature could literally save lives
- Apple pushes first-ever 'rapid' patch – and rapidly screws up
Johnson says he tested his proof-of-concept attack against macOS 13.5.1, released five days ago, and it bypasses App Management, allowing any file in the app bundle (the main executable, a configuration file, or a license) to be altered. And the App Management system does not protest.
In a preceding post, he says he reported the bug to Apple on October 19, 2022, and the iPhone giant acknowledged the bug report on October 21, 2022 – three days before the first general release of macOS Ventura (macOS 13), the most current supported release of Apple's desktop operating system.
More than 300 days later, Johnson says the bug remains unfixed, so he has decided to go public with it.
"Apple hasn't said anything about how serious they consider the issue to be, although perhaps their actions speak louder than words," Johnson told The Register in an email. "I did ask Apple Product Security to estimate the bounty payment, and they refused. In all communications with Apple Product Security, they refuse to say much, which makes them very frustrating to work with."
Apple's reluctance to communicate openly with the security community has been a longstanding point of contention among those who look for flaws in the tech giant's software and hardware, as underlined by the objections raised by researchers following the biz's ill-fated proposal in 2021 to scan content on iDevices for illegal child abuse material.
Cupertino's silence about bugs prompted developer Tim Burks in 2008 to create OpenRadar – a community bug-reporting site dedicated to showing programming blunders affecting Apple operating systems – because the outfit's own Radar bug-reporting system is not available to the general public.
Apple did not respond to a request for comment, as is usually the case when contacted by The Register.
"I would say that my vulnerability renders App Management null and void," said Johnson. "The protection has never been effective. Apple shipped it with a gaping hole from day one. The vulnerability is quite trivial to exploit."
However, Johnson said that since App Management is a new addition to macOS Ventura, the current macOS is no more vulnerable than previous releases that didn't have the broken feature.
"That's why I don't feel too bad about publicly disclosing the vulnerability," he said. "My disclosure hasn't made Mac users worse off than before; it's simply the case that App Management never made Mac users better off than before. The new feature didn't work as advertised." ®
Updated to add
“I could see this being something malware could (ab)use to surreptitiously infect local applications, perhaps as a way to stealthily persist,” said Patrick Wardle, cybersecurity researcher and founder of security non-profit Objective-See, in a post-publication message to The Register.
He added this kind of modification would break the vandalized app's digital signature so entitlements granted to the software would be lost.
“To me the bigger issue is Apple’s inability to respond and fix this in a timely manner,” he added, noting that he encountered something similar with another new Ventura feature, BTM or Background Task Management.