Researchers get password-stealing malware in App Store iOS and OS X
Researchers state that they have found critical vulnerabilities in iOS and OS X that have not yet been closed by Apple. Passwords can be obtained from apps via so-called cross-app resource access attacks, while malware can also be uploaded to the App Store.
The researchers, from Indiana University, Peking University and the Georgia Institute of Technology, write in a research report that it is possible in both OS X and iOS to access data from other apps via a malicious app. For example, they were able to extract passwords and tokens for iCloud from the keychain – a ‘vault’ for the shared storage of sensitive data within the operating system – via the cross-app resource access attack method. In doing so, the sandbox principle is circumvented: this security mechanism is intended to prevent such behavior by means of compartmentalization of software. Other cross-app software layers that Apple has developed, such as WebSocket and Scheme, could also be exploited.
In addition, the researchers say they managed to get manipulated, malicious apps through Apple’s approval process and made them available in the Mac App Store and the iOS App Store. This would allow attackers to place software on App Stores deemed safe to steal data from other legitimate apps. According to the researchers, a sample showed that about 88 percent of investigated OS X and iOS apps can be attacked in this way.
According to the researchers, they reported their findings, which they classify as very serious, to Apple in October last year. Apple is said to have requested that the publication of the research report be delayed for at least six months to address the issues, but after that period, the researchers received no further feedback from the Cupertino-based company. As a result, current versions of iOS and OS X still remain vulnerable to the security vulnerabilities described.
Meanwhile, the security researchers say they have developed an application that, until a fix is released, could detect cross-app resource access attacks, although this tool has limited value. The researchers also provide a number of tips on how app developers can reduce the risk of such attacks.