Security researchers have found major flaws in OS X and a single one in iOS that open the door to malware. The exploits allow malicious apps that have made their way into the App Store to bypass or ignore sandbox and other security protections to grab passwords from others apps’ keychain entries, steal data from other apps’ private data storage, hijack network ports, and masquerade as different apps to intercept certain communications.
Apple’s review process for the App Store—both for iOS and OS X—is supposed to prevent malware from entering its system. If that bulwark fails, the company relies on sandboxing, which prevents apps from accessing data and files other than that managed by the app, except through very tightly defined channels.
Four paths to crack
The paper outlines four separate points of weakness:
- Password theft via the system-wide keychain.
- Container cracking between apps, where one app can retrieve the contents of another sandboxed app’s ostensibly private data store.
- Internet socket interception, which allows a malicious app to hijack the flow of traffic to an app.
- Scheme hijacking (both iOS and OS X), in which the system-wide method of launching one app from another is redirected to capture login tokens or other information.
How to Protect your Devices
A system-wide update to Apple’s OS X and iOS is the only way to protect yourself fully against these vulnerabilities, the researchers said. However, we are patiently waiting to hear from Apple that how it’s planning to resolve this huge issue.
To protect yourselves against such vulnerabilities, users of all operating system platforms are advised to limit the apps they install on their devices to those that are needed and explicitly trusted.
Bypassed Apple’s App Store Security Checks
The malicious app was also able to bypass the Apple’s App store security checks that are designed to ensure one app can not gain access to other apps’ data without permission.
However, the more worrisome part regarding the malicious app is that it was approved by Apple for placement in its App Store, which is supposed to be pre-examine by Apple security engineers for potentially malicious apps.
Apple did not immediately respond to a request for comment.
The zero-day flaws discovered by the Indiana University boffins Xing; Xiaolong Bai; XiaoFeng Wang; and Kai Chen joined Tongxin Li, of Peking University, and Xiaojing Liao, of Georgia Institute of Technology, was reported to Apple last October, but the company requested a 6 month period before making it public.
However, according to their paper, the issues persist and millions of Apple users can still be affected by these zero-day flaws.