Sensitive Data At Risk
Researchers based in the University of Indiana, have found four Apple security flaws which could bypass security and steal sensitive data from apps. The vulnerabilities were reported to Apple last year on October 2014. Apple required that they were given six months to patch the exploits. Till then only some of the vulnerabilities have been patched. XARA, that pose a serious threat to the app isolation protection on modern OSes.
Password Stealing
On the Apple platforms, a sandboxed app by default is
still allowed to access some security-critical services. A prominent example is Apple’s keychain. Keychain is Apple’s credential management service, through which an app can store the user’s passwords, secret keys and certificates there. These credentials will then be automatically used by authorized
apps after the user “unlocks” the keychain through entering her password, in a way similar to the transparent single-sign-on authentication (though more powerful) from the user’s point of view. It is automatically unlocked whenever the user logs in, if its password is identical to that for login.
If the targeted app is already installed, a malicious app can delete its existing keychain entry and create a new one, which the user will re-enter their credentials to the next time they access the targeted app.
Container Cracking
The security weaknesses within the keychain happen when sandboxed apps want to share resources (i.e., passwords) across sandbox boundary. However, even for the private resources inside each app’s sandbox which are never designed for sharing, XARA attacks can still happen, due to a weakness in the unique BID-based separation design on OS X.
On OS X, all apps’ containers are under the directory:
∼/Library/Containers/, e.g., ∼/Library/Containers/com.evernote.Evernote/.
What causes a complication here is the embedded programs within an app, that is, the sub-targets of the app’s project. This BID conflict threat affects every sandboxed app running on OS X. In our study, we implemented end-to-end attacks on a few high-profile apps, including Evernote, WeChat, QQ (a popular online chat app), Money Control (a popular Finance app)
XPC Service that hijacked the target app’s BID, successfully stole all the contacts of the user and her private notes from ∼/Library/Containers/com.evernote. Evernote/account/. Also, it recovered all the message photos under WeChat and QQ. Again, our app got through the security check of the MAC App Store.
IPC Interception
Breaches of cross-app resource sharing (i.e., keychain) and BID based sandbox isolation mechanism unwittingly grant the adversary unauthorized access to other apps’ resources. The problem, unfortunately, does not stop here: in our research, we found that major cross-app communication (IPC) channels on OS X.
This exposes critical information, e.g. all Web passwords in major browsers, to the adversary in even more various ways. The problem is that in the absence of proper authentication, a malicious program (with the network permission when it is sandboxed) can preemptively claim the port before the legitimate server does. This enables it to receive data from the target extension. Such a security risk can also happen on the browser side: a malicious extension can impersonate the authorized one to talk to the local app through its port.
Scheme Hijacking
As mentioned earlier, URL Scheme, an inter-app communication channel, is different on the Apple platforms. Specifically, Apple’s OSes automatically associate a scheme with one app even with the presence of multiple apps claiming the same scheme. This design leads to a unique problem to Apple’s OSes, as elaborated below. Scheme takeover. Essentially, a URL scheme is a simple protocol that an app defines for communicating with others. The app specifies a URL format in its plist file and lets other
apps invoke it and pass parameters through the URL.
This vulnerability allows a malicious app to hijack a scheme, which means data sent to the target app would be received by it instead. This could facilitate the theft of access tokens and other information.
Mitigation
Always install latest security updates, and always check your source when installing new apps. Even though the malicious bypassed the apple store security, take caution when installing new apps.
The consequences of these attacks are serious, including leaks of user passwords, secret tokens and all
kinds of sensitive documents.
