Researchers with Indiana University Bloomington, Peking University, and Georgia Institute of Technology have identified a series of critical weaknesses in Apple's OS X and iOS that can enable a variety of attacks, such as stealing user passwords, secret tokens and sensitive documents.
The researchers refer to the threat as a cross-app resource access (XARA) attack, which enables sandboxed malicious apps to access sensitive data from other apps, according to a whitepaper, “Unauthorized Cross-App Resource Access on MAC OS X and iOS.”
The issue ultimately boils down to a lack of authentication during app-to-app and app-to-OS interactions.
“[W]e found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote,” the whitepaper said, adding that the “App sandbox on OS X was found to be vulnerable, exposing an app's private directory to the sandboxed malware that hijacks its Apple Bundle ID.”
The researchers noted in the whitepaper that during testing all of their attack apps passed inspections and were successfully uploaded to the respective App Stores, which are well-known for having strict app approval requirements.
According to a report by The Register, the researchers contacted Apple and agreed with a request to hold off publishing the findings for six months. As of Wednesday, the date the report was published, the researchers had not heard back.
In the whitepaper, the researchers proposed techniques to detect and mitigate the threat.
“To better understand their impacts, we developed a scanner that automatically analyzes the binaries of OS X and iOS apps to determine whether proper protection is missing in their code,” the whitepaper said, later adding, “Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS X, helping protect vulnerable apps before the problems can be fully addressed.”
In a Wednesday email correspondence with SCMagazine.com, Charlie Miller, a security researcher with Twitter who gained fame for finding notable vulnerabilities in Apple products, referred to the research as interesting, and noted that the impact will vary depending on what apps are being used.
“One thing to keep in mind is all the attacks depend on the victim downloading a malicious app,” Miller said. “This isn't a remote attack or anything like that, so if a user is careful in what they are downloading, they should be fine.”
Apple did not return a SCMagazine.com request for comment.