| | |
| | |
Stat |
Members: 3645 Articles: 2'504'928 Articles rated: 2609
25 April 2024 |
|
| | | |
|
Article overview
| |
|
Unauthorized Cross-App Resource Access on MAC OS X and iOS | Luyi Xing
; Xiaolong Bai
; Tongxin Li
; XiaoFeng Wang
; Kai Chen
; Xiaojing Liao
; Shi-Min Hu
; Xinhui Han
; | Date: |
26 May 2015 | Abstract: | On modern operating systems, applications under the same user are separated
from each other, for the purpose of protecting them against malware and
compromised programs. Given the complexity of today’s OSes, less clear is
whether such isolation is effective against different kind of cross-app
resource access attacks (called XARA in our research). To better understand the
problem, on the less-studied Apple platforms, we conducted a systematic
security analysis on MAC OS~X and iOS. Our research leads to the discovery of a
series of high-impact security weaknesses, which enable a sandboxed malicious
app, approved by the Apple Stores, to gain unauthorized access to other apps’
sensitive data. More specifically, we found that the inter-app interaction
services, including the keychain, WebSocket and NSConnection on OS~X and URL
Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such
confidential information as the passwords for iCloud, email and bank, and the
secret token of Evernote. Further, the design of the app sandbox on OS~X was
found to be vulnerable, exposing an app’s private directory to the sandboxed
malware that hijacks its Apple Bundle ID. As a result, sensitive user data,
like the notes and user contacts under Evernote and photos under WeChat, have
all been disclosed. Fundamentally, these problems are caused by the lack of
app-to-app and app-to-OS authentications. To better understand their impacts,
we developed a scanner that automatically analyzes the binaries of MAC OS and
iOS apps to determine whether proper protection is missing in their code.
Running it on hundreds of binaries, we confirmed the pervasiveness of the
weaknesses among high-impact Apple apps. Since the issues may not be easily
fixed, we built a simple program that detects exploit attempts on OS~X, helping
protect vulnerable apps before the problems can be fully addressed. | Source: | arXiv, 1505.6836 | Services: | Forum | Review | PDF | Favorites |
|
|
No review found.
Did you like this article?
Note: answers to reviews or questions about the article must be posted in the forum section.
Authors are not allowed to review their own article. They can use the forum section.
browser Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
|
| |
|
|
|
| News, job offers and information for researchers and scientists:
| |