Unauthorized Cross-App Resource Access on Mac OS X and iOS

This paper is to appear at the 22nd ACM Conference on Computer and Communications Security 2015 (CCS), authored by Luyi Xing, Xiaolong Bai, Tongxin Li, XiaoFeng Wang, Kai Chen, Xiaojing Liao, Shi-min Hu, Xinhui Han.

XARA Vulnerabilities on Mac OS X and iOS

On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today’s OSes, less clear is whether such isolation is effective against different kind of cross-app resource access attacks (called XARA in our research). To better understand the problem, on the less-studied Apple platforms, we conducted a systematic security analysis on MAC OS X and iOS. Our research leads to the discovery of a series of highimpact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps’ sensitive data. More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS X and URL Scheme on OS X and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications. To better understand their impacts, we developed a scanner that automatically analyzes the binaries of OS X and iOS apps to determine whether proper protection is missing in their code. Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps. Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS X, helping protect vulnerable apps before the problems can be fully addressed. We further discuss the insights from this study and the lessons learnt for building a securer system.

Attack Demos:

Keychain Hacking: steal iCloud token and any passwords saved by Google Chrome browser on OS X.

Container Cracking: crack Apple’s Sandboxing and touch other apps’ data.

More demos

IPC Interception

    Demo here for NSConnection attack against Evernote app, stealing Evernote authentication token.
    Demo here for NSConnection attack against Keychain Access (a system app on OS X), stealing OS X username and password.
    Demo here for Websocket attack against 1Password app, stealing all passwords used in Chrome browser.
    Demo here for port hijacking attack against Pushbullet app, stealing Pushbullet authentication token.

Scheme Hijacking

    Demo here for iOS scheme hijacking, stealing Pinterest authentication token.
    Demo here for OS X scheme hijacking, stealing Wunderlist authentication token.
    Demo here for OS X scheme hijacking, phishing for OS X user credentials.

Media Coverage