Some 88.6% of iOS and OS X apps using resource-sharing mechanisms and IPC channels are completely exposed to unauthorized cross-app resource access, or XARA, attacks, according to a report by university researchers from Indiana University, Georgia Tech and Peking University.
Â â€œThe consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed. Such findings, which we believe are just a tip of the iceberg, will certainly inspire the follow-up research on other XARA hazards across platforms,â€ the researchers say. â€œThe new understanding about the fundamental cause of the problem is invaluable to the development of better app-isolation protection for future OSes.â€
Critical system services and channels, including the keychain, WebSocket and Scheme, can all be exploited to gain access to other appsâ€™ resources, and even the Apple Sandbox on OS X can be cracked, exposing an appâ€™s container directory, they concluded.
The team succeeded in uploading malware to Apple’s app stores, passed control processes without detection, installed malware on the victim’s device and raided the keychain to steal passwords for services including iCloud and the Mail app stored within Google Chrome. Compared to OS , iOS is more secure as it does not support credential sharing.
These attacks could lead to â€œleaks of user passwords, secret tokens and all kinds of sensitive documents,â€ the researchers said. â€œOur research shows that fundamentally the problem comes from lack of authentication during app-to-app and app-to-system interactions, and further proposes new techniques to detect and mitigate such a threat.â€
Lead researcher Luyi Xing complied with Apple’s request to withhold publication of the research for six months, but had not heard back as of the time of writing, according to The Register. They say the vulnerabilities are still present in Apple’s software, and their study will likely be used by cyber criminals looking to earn money. Apple did not comment on that.
The researchers ran their analyzer on 1,612 of the most popular Mac apps and 200 iOS apps.