Researchers have uncovered huge holes in the application sandboxes protecting Apple’s OS X and iOS operating systems, a discovery that allows them to create apps that pilfer iCloud, Gmail, and banking passwords and can also siphon data from 1Password, Evernote, and other apps.
The malicious proof-of-concept apps were approved by the Apple Store, which requires all qualifying submissions to treat every other app as untrusted. Despite the supposed vetting by Apple engineers, the researchers’ apps were able to bypass sandboxing protections that are supposed to prevent one app from accessing the credentials, contacts, and other resources belonging to another app. Like Linux, Android, Windows, and most other mainstream OSes, OS X and iOS strictly limit app access for the purpose of protecting them against malware. The success of the researchers’ cross-app resource access—or XARA—attacks, raises troubling doubts about those assurances on the widely used Apple platforms.
“The consequences are dire,” they wrote in a research paper titled Unauthorized Cross-App Resource Access on MAC OS X and iOS. “For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system’s keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome.” Referring to interprocess communication, which is the tightly controlled and Apple-approved mechanism for one app to interact with another and the Bundle ID token used to enforce sandbox policies, the researchers continued:
A brief history of sandboxing
The Apple sandbox made its debut in OS X and uses the mandatory access control framework from the TrustedBSD project to enforce security policies at the system-call level. Since version 10.7.5, most apps submitted to Apple’s Mac App Store are required to adhere to the sandboxing scheme. By default, the OS X Gatekeeper prevents users from installing apps unless they come from the store or come from a trusted developer that adheres to sandboxing requirements. iOS apps, meanwhile, have always adhered to strict sandboxing.
Despite the strict controls, the researchers found several ways a malicious app can surreptitiously access data from another app that’s supposed to be off-limits. They included:
IPC interception: Browsers and other Internet-connected apps often use the WebSocket protocol to interact with extensions or other apps. Malicious apps can capitalize on this usage by preemptively taking control of the Internet port a trusted app uses to send or receive data through the WebSocket channel. The researchers wrote:
The security risks of intercepting the IPC communication through these vulnerable channels are realistic and serious. As an example, here we just elaborate our end-to-end attacks on three popular apps. We analyzed the 1Password app for OS X, which is one of the most popular password management apps and ranked 3rd by the MAC App Store. The app comes with a browser extension for each major browser that collects the passwords from the user’s web account and passes them to the app through a WebSocket connection. In our research, our sandboxed app created a local WebSocket server that took over the port 6263, before the 1Password app did, and was successfully connected to the password extension and downloaded the password whenever the user logged into her web account. We reported our findings to the 1Password security team, which acknowledged the gravity of this problem. This attack succeeded on OS X 10.10 (latest version when we reported the problem), against Chrome, Firefox and Safari. Our attack code passed the vetting process of the MAC Store.
View the original content and more from this author here: http://ift.tt/1d21bJr
from hacker samurai http://ift.tt/1Ss6HoS
via IFTTT
No comments:
Post a Comment