Six researchers identified a number of flaws in the management of information of the app within Mac OS X. It made known to Apple in October, still missing a patch to the problem.
Six security researchers from Indiana University, from Georgia Tech and the University of Beijing, have identified a number of ” high-impact vulnerabilities ” that allow app working in sandbox environment, and that have been previously approved for publication in the App Store of Apple, to gain access to data in other applications, stored in the private directory of an app, and the contents of the Keychain.
Researchers have developed a scanner to identify the incidence of the problem, analyzing over 1,600 apps OS X and 200 app iOS. The analysis showed that 88.6% of the app is vulnerable and that the attack code demonstration included in the app-scanner sandboxed recovered passwords stored in the Keychain.
The researchers say that ” these problems are caused by the lack of authentication app-to-app and app-to-OS “. In other words, once an app is authenticated in the sandbox and ” friendly ” by the operating system, are made as a result few if any control over the behavior of the app.
At first glance, the ability to exploit vulnerabilities can appear quite low, as it is needed an app built specifically for malicious purposes he can pass the controls of Apple or the Gatekeeper (the instrument of security sandboxing and Apple) is disabled or bypassed by the computer user.
The researchers sent to the store for iOS and OS X app various suitably modified to bring the attack, which have failed to pass inspections and have become available to the public. The app has been removed immediately after the approval by the developers, to avoid causing damage to users.
The researchers findings were released last October 15, 2014 in Apple, which by virtue of the complexity of the problem asked to postpone by six months the publication of research results. In any case, the vulnerabilities have been reported, despite an attempt to solve the problem, both in the operating system OS X 10.10.3, 10.10.4 is in beta.
The solution, for that matter, might not be so simple: the researchers argue that developers should be provided with appropriate interfaces to allow them to specify and enforce individual. In any case, it may be a reworking, more or less extended of the way in which the operating system manages these activities.
One of the flaws identified concerns the behavior of the Keychain, for which there is no system to check whether or not an app is authorized to modify its entries. In the video above the researchers show how an app written appropriately for this purpose can then delete existing entries or create new ones and be able to get access to protected items.
Another vulnerability, shown in the video above, is present in the app container of OS X, which is thought to prevent the app downloaded from the Mac App Store can access data from other apps without the express permission to do so. Apple applies this access control in part by giving each app a Bundle ID, the uniqueness of which is ensured by the Mac App Store.
The latter does not verify the uniqueness of the Bundle ID that belong in the helper app: creating a helper app with the same bundle ID of legitimate app can allow access to the container of the latter.
The last leak was detected in the URL Schemes and allowed researchers to intercept the URL scheme of another legitimate app, intercepting any information that passes between them. The researchers brought another example where malicious app has registered the scheme fbauth:// that the iOS app to use the sign-in to Facebook and have been able to intercept the authentication token Facebook user.
Researchers have proposed a ” scanner-app ” able to operate in the user land to detect any attacks cross-app and lock the bud in order to provide a measure of immediate protection. This system excludes the possibility of encountering false positives, but the researchers point out that any attempt to attack could go unnoticed.
The scanner prototype developed by researchers committed no more than 0.2% of CPU during the operations, which take place once a new app starts using the Keychain when the app or need to update existing user credentials, both occurrences are not particularly frequent.