Apple focuses more on security than others but yet again another manufacturer is shown to put user security way down their priority list. Six researchers have revealed zero-day flaws in Apple’s iOS and OSX. Zero-day flaws are those which are exploited by hackers before the manufacturer becomes aware. They claim it is possible to crack the password-containing keychain, break app sandboxes and bypass App Store security on Apple’s OSes.
Attackers can exploit these flaws and steal passwords and app data even from Apple’s preinstalled apps. The research team was able to upload a virus program to Apple’s app store and went undetected through Apple’s automated security checks. The same malware could be used to steal password data for the iCloud and the Mail app even on Apple Macs.
Research team leader Luyi Xing told the press that he and his team complied with Apple’s request to withhold their publication for six months but Apple did not contact them after that and neither did they fix the security flaws. Since the research has now been publicized, the team’s research can now be used by anybody for ill purposes.
The research paper is already available under the title Unauthorized Cross-App Resource Access on Mac OS X and iOS. The paper can be easily accessed by anyone but we chose not to provide the link to the research paper.
The team leader, Luyi Xing, says:
Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome.
We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.
The team was even able to copy bank account details from Google Chrome on iOS and OSX 10.10.3 using a sandboxed app. The same method could be used to steal any type of app and security credentials.
It is frightening to know that the manufacturers who actively claim security and privacy as their major strength over their competitors are actually so lazy and ignorant when it comes to user security. There is no workaround for this and users are advised to refrain from downloading apps from less popular developers until this flaw is fixed.