Significant Security Hole in iOS and OS X Keychain Exposed

Making the problem worse is that the researchers were able to upload apps to the App Store and the Mac App Store that contained this malware. The software bypassed Apple's vaunted vetting process, and this was after the researchers alerted Apple to the problem going back to October of 2014.

Apple asked the team to give it six months before exposing the problem, which the researchers did. The company then asked for an advanced copy of the researchers' paper in February, which they gave to Apple. When the team heard nothing further from Apple, it released its findings, as is customary in the security field.

“Our study brings to light a series of unexpected, security-critical flaws that can be exploited to circumvent Apple's isolation protection and its App Store's security vetting,” the researchers wrote. “The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed.”

Apple sandboxed OS X and iOS both, a term meaning that apps aren't allowed by the operating system to access data from another app without exceptions granted by the operating system. It's a tradeoff for security at the expense of some convenience, as it makes it harder for apps to talk to each other at all.

The problem is that even though Apple sandboxed its operating systems, this vulnerability—called unauthorized cross-app resource access, or XARA—was still found. It not only allows potential malware to grab data from another app, it allows it to grab your Keychain data.

For many of us, that means most, if not all, of our passwords.

“Such findings, which we believe are just a tip of the iceberg,” the researchers wrote, “will certainly inspire the follow-up research on other XARA hazards across platforms. Most importantly, the new understanding about the fundamental cause of the problem is invaluable to the development of better app isolation protection for future OSes.”

We can hope that is true, but until Apple fixes this problem, this is a significant problem for iOS and OS X users. To that end, Apple has yet to comment on the problem.

In the meanwhile, you can be sure that every government intelligence service, every criminal hacker group, and security researchers with white and black hats are studying these findings.

Four of the researchers are based at Indiana University, while one is at Peking University, and the sixth is at the Georgia Institute of Technology.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WIN an iPhone 16 Pro Max!