Researchers across three universities have discovered seven classes of vulnerabilities in the sandboxing feature of Apple's iOS operating system, which if exploited could allow malicious actors to launch a bevy of attacks that would place an iPhone or iPad user's privacy and data at risk.
This sandbox uses a set profile, which Apple refers to as a “container,” that acts as an interface for third-party applications, granting each one parameter-based permissions for what actions they can take and what data they can access. It also is designed to confine any malicious or exploited third-party applications.
However, academics at North Carolina State University, Germany's Technische Universitat Darmstadt and Romania's University Politehnica of Bucharest announced this week that they have found flaws in the sandbox's code that could allow unscrupulous third-party developers – or bad actors who have secretly compromised their apps – to perform multiple unauthorized acts on iOS devices.
Specifically, attackers could exploit the vulnerabilities to bypass privacy settings for contacts, look up location search histories, access system file metadata, obtain a user's name and media library, consume disk storage space (in such a manner that uninstalling the app won't recover it), block access to system resources, and allow apps to share information with each other without permission. An NC State press release states that the exploits affect “nonjailbroken devices running later versions of iOS – including 9.0.2, the version that underwent the study.
“Many people think that the closed operating system from Apple is more secure than the open Android system, said Ahmad-Reza Sadeghi, another researcher and professor of computer science at Technische Universitat Darmstadt, in a university press release. To test the validity of this theory, the researchers decided to have a closer look at one of key security features in iOS: the sandbox. “Our goal was to see if we [could] automate the detection of security vulnerabilities,” Sadeghi said.
To accomplish this, the researchers created a process called “SandScout” to extract the sandbox profile's binary code, reverse engineer it into readable form, and model it using logic programming language so that they could perform a series of automated queries on the coding, looking for potential abuse scenarios. For instance: perhaps some “third-party applications have access to things that maybe you wouldn't want them to have access to,” said William Enck, one of the researchers and an associate professor of computer science at NC State. Or perhaps they have been granted write access, which “might cause some corruptions.”
The researchers will flesh out the vulnerabilities in more detail in an upcoming academic research paper, “SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles,” which is set for release during the ACM Conference on Computer and Communications Security, scheduled to take place in Vienna from Oct. 24-28. Authorship of the upcoming academic paper is credited to Enck and Sadeghi, as well as researchers Luke Deshotels, Mihai Chiroiu, Razvan Deaconescu and Lucas Davi.
Until then, researchers are withholding certain key details while Apple works to address the problems. According to the researchers, they have been actively engaging with Apple and expect the company to eventually issue security patches. “They hope to have many of these problems fixed in iOS 10,” said Enck. “We haven't been able to review their fixes yet, but we have had discussions with them. Some of the things sound like they're not going to have complete fixes in 10, but they are aware of the problem and so they can look for apps that are abusing them.”
SCMagazine.com has contacted Apple for comment.