Good ideas and conversation. No ads, no tracking. Login or Take a Tour!
Ruh Roh.... hopefully Cupertino will do what they need to do.
TLDR:
- In this paper, we identify a new category of security weak- nesses, called XARA, that pose a serious threat to the app isolation protection on modern OSes. Our study on the threat over the Apple platforms, the first of this kind, reveals its pervasiveness and significant impacts: critical system ser- vices and channels, including the keychain, WebSocket and Scheme, can all be exploited to gain access to other apps’ resources, and even the Apple Sandbox on OS X can be cracked, exposing an app’s container directory to the unauthorized party. The consequences of these attacks are serious, including leaks of user passwords, secret tokens and all kinds of sensitive documents. Our research shows that fun- damentally the problem comes from lack of authentication during app-to-app and app-to-system interactions, and further proposes new techniques to detect and mitigate such
a threat. This preliminary effort contributes to a better understanding of this understudied security problem, an important step for building a more effective app isolation mechanism on future OSes.
Of note:
- Particularly, 1Password is a leading paid app, which, as described in Section 3.3, is completely vulnerable. Other examples include LastPass (a popular password management app), Adobe Creative Cloud (an Adobe service app) and LiveReload (for dynamic web content reloading). These apps were all vulnerable to the attacks from malicious apps