Zero-Day Flaw Victimizes Apple iOS and OSX Apps

Researchers this week disclosed zero-day flaws in Apple’s iOS and OSX operating systems that allowed them to raid password keychains, crack secure containers, and circumvent Apple App Store security checks.

The group of six researchers from Indiana University, Peking University and Georgia Institute of Technology claims that almost 90% of the over 1,600 OSX apps and 200 iOS apps it tested are vulnerable, making this a significant concern for Apple platform users. These apps are victimized by what the group calls an “unauthorized cross-app resource access (XARA)” attack, which allows malware to steal secure data.

The design of Apple’s operating systems is supposed to thwart these kinds of attacks by sandboxing apps from each other, effectively preventing them from being capable of raiding each other. However, this research proves this is likely no longer the case, putting hundreds of millions of devices at significant risk.

After cracking the keychain service, the group was able to gain access to stored passwords, credentials and sandbox containers. As well, the group uncovered “weaknesses within the inter-app communication mechanism on OSX and iOS which can be used to steal confidential data.” The group was also successful in publishing to the Apple App Store a malicious app capable of stealing sensitive information like photos and tokens.

The group, which describes the situation as “dire,” informed Apple of the vulnerability in October 2014, however Apple failed to respond in a timely manner and the group published its findings publicly.

Although the group’s claims seem substantiated through well-documented research and video demonstrations, Check Point can assure its customers that our Capsule Workspace container is secure from this type of attack.

The group’s research describes several unrelated exploits that can compromise a user’s information. Of these, the two more severe exploits compromise the keychain to steal secret information such as passwords, and can crack containers whereby a malicious app is able to access another app’s container, thus compromising its private data. These two exploits are only possible on OS X. Due to a more limited design or different security implementation of these features on iOS, the keychain is sandboxed and sharing is not allowed; and apps and frameworks are installed in unique folders.

The other two exploits describe IPC (inter-process communication) vulnerabilities. In the first, WebSockets describe a problematic design on Apple’s part, where apps cannot authenticate their connection. Thus, they are unable to verify a connection is established with the correct app on the other end. Capsule Workspace does not use WebSockets for IPC, and so it is not vulnerable to this attack.

The second exploit describes a well-known IPC vulnerability on iOS, where apps can hijack schemes and thereby compromise data. Application schemes are often used on iOS as the primary method of passing information between apps. Due to the inherently insecure design of app schemes, in our wrapping solution we have developed a secure IPC protocol over schemes to ensure information remains secure and cannot be compromised.

This type of attack does, however, highlight the importance of having proactive tools that can detect, mitigate and eliminate advanced attacks on smartphones and tablets. Check Point Mobile Threat Prevention is designed to detect suspicious behavior on mobile devices and takes appropriate steps immediately to safeguard sensitive information.

For more information, visit