Pixelbliss - Fotolia
Application sandboxing flaws, which have long plagued the Android OS, were recently discovered on OS X and iOS.
The results were both "surprising" and "dire," according to six researchers from Indiana University, Peking University and Georgia Institute of Technology. The team set out to investigate the effectiveness of app isolation on OS X and iOS and test whether the OSes' unique methods of confining apps and supporting cross-app interactions offered a more secure user environment.
In "Unauthorized Cross-App Resource Access on Mac OS X and iOS", which was submitted to the Cornell University Library in May, the group of researchers led by Luyi Xing of Indiana University found a number of critical vulnerabilities in major cross-app resource-sharing mechanisms and communications channels, as well as unreliable Apple sandbox construction that led to issues including password stealing, container cracking, cross-app communication interception and URL scheme hijacking.
"We completely cracked the keychain service -- used to store passwords and other credentials for different apps -- and sandbox containers on OS X," Xing told The Register, which first reported the story Wednesday. "(We) also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS, which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."
In the attacks the group dubbed unauthorized cross-app resource access or XARA, adversaries can potentially steal passwords from iCloud, Gmail and Chrome, and infiltrate data from 1Password, Evernote, WeChat and other apps.
The researchers built proof-of-concept apps which not only circumvented OS-level protection but also made their way through the App Store vetting process to become readily available to customers.
In their tests, researchers found more than 88.6% of the 1,612 most popular Mac apps and 200 iOS apps were "completely exposed" to XARA.
"Fundamentally," the report reads, "these problems are caused by the lack of app-to-app and app-to-OS authentications."
Xing said the Apple sandbox vulnerabilities were reported to Apple in October 2014, prompting the company to request a six-month grace period to fix this issues. It was only in February, however, that Apple requested an advanced copy of the research, according to the researchers.
Videos posted by Xing demonstrate how malicious apps can be used for password stealing, container cracking/bundle ID attacks, inter-process communication interception and URL scheme hijacking.
Jeff Goldberg of AgileBits, Inc. -- creator of 1Password -- published a blog post Wednesday discussing the threat and how the company has reacted since November.
"Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem," Goldberg wrote. The blog does, however, offer ways to make it more difficult for attackers, including keeping 1Password running and not installing untrusted apps.
While XARA attacks can be hard to execute as they can only be completed by downloading a malicious app through the app store, researchers were able to circumvent the App vetting defenses; it will only be a matter of time until adversaries adopt such strategies.
The researchers built a program that detects exploit attempts; it will be available on the XARA flaws site when ready.
In other news
- Three more companies have jumped on the HTTPS bandwagon following last week's announcements by the White House and Apple. The Wikimedia Foundation, Inc. announced last Friday it was in the process of implementing HTTPS to encrypt all traffic on Wikipedia and other Wikimedia sites. It is also going to use HTTP Strict Transport Security to "protect against efforts to 'break' HTTPS and intercept traffic." Bing announced Monday that while it has offered the option to encrypt search traffic for about a year and half, it will start encrypting search traffic by default this summer. Reddit Inc. announced Tuesday all site traffic would be redirected over HTTPS and HTTP would no longer be available starting June 29.
- An IT jobs report released Tuesday by Mondo revealed that behind the CIO/CTO position, chief security officers and chief data officers garnered the highest salaries in 2015 at $146000 - $214,000 and $143000 - $200,000, respectively; this is an increase of 5% for CDOs and 44% for CSOs. Salaries ranged depending on region, with New York City and San Francisco on the high end of the spectrum, and Florida and Dallas on the low end. Mondo also found the technology skills and positions in highest demand included network security analysts and cloud engineers. The technology recruiting company Mondo based its findings on 3,500 job placements over the past year.
- Twenty-three percent of the components in the average software application contain known vulnerabilities, according to a report released Wednesday by Sonatype Inc. The "2015 State of the Software Supply Chain Report," which analyzed 17 billion requests for open source and third-party software components from 106,000 software development organizations, "hundreds of thousands" of suppliers, and "billions" of software components concluded that "current approaches to software supply chain management are insufficient to keep up with today's volume." In its report, Sonatype researchers, who manage one of the world's largest public open source repositories, found 51,000 components in the repository have a known security vulnerability, and the average software application, which has an average of 106 components, has 24 known critical or severe vulnerabilities. Research also found the mean time-to-repair a vulnerability in a component clocks in at 390 days.
Get caught up on sandbox-defeating and password-stealing malware
Learn more about HTTPS, infosec salaries and software development security