On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today's OSes, less clear is whether such isolation is effective against different kind of cross-app resource access attacks (called XARA in our research). To better understand the problem, on the less-studied Apple platforms, we conducted a systematic security analysis on MAC OS~X and iOS. Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps' sensitive data. More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS~X and URL Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the app sandbox on OS~X was found to be vulnerable, exposing an app's private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications. To better understand their impacts, we developed a scanner that automatically analyzes the binaries of MAC OS and iOS apps to determine whether proper protection is missing in their code. Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps. Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS~X, helping protect vulnerable apps before the problems can be fully addressed.
[1]
Wenke Lee,et al.
Jekyll on iOS: When Benign Apps Become Evil
,
2013,
USENIX Security Symposium.
[2]
Trent Jaeger,et al.
STING: Finding Name Resolution Vulnerabilities in Programs
,
2012,
USENIX Security Symposium.
[3]
Christopher Krügel,et al.
PiOS: Detecting Privacy Leaks in iOS Applications
,
2011,
NDSS.
[4]
Helen J. Wang,et al.
Permission Re-Delegation: Attacks and Defenses
,
2011,
USENIX Security Symposium.
[5]
Rui Wang,et al.
Unauthorized origin crossing on mobile platforms: threats and mitigation
,
2013,
CCS.
[6]
Wenke Lee,et al.
CHEX: statically vetting Android apps for component hijacking vulnerabilities
,
2012,
CCS.
[7]
Yizheng Chen,et al.
On the Feasibility of Large-Scale Infections of iOS Devices
,
2014,
USENIX Security Symposium.
[8]
XiaoFeng Wang,et al.
Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating
,
2014,
2014 IEEE Symposium on Security and Privacy.
[9]
David A. Wagner,et al.
Analyzing inter-application communication in Android
,
2011,
MobiSys '11.
[10]
Robert H. Deng,et al.
Launching Generic Attacks on iOS with Approved Third-Party Applications
,
2013,
ACNS.
[11]
Frank Salim,et al.
The WebSocket API
,
2013
.
[12]
Yajin Zhou,et al.
Systematic Detection of Capability Leaks in Stock Android Smartphones
,
2012,
NDSS.
[13]
Ahmad-Reza Sadeghi,et al.
Privilege Escalation Attacks on Android
,
2010,
ISC.