[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/2810103.2813609acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS~X and iOS

Published: 12 October 2015 Publication History

Abstract

On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today's OSes, less clear is whether such isolation is effective against different kind of cross-app resource access attacks (called XARA in our research). To better understand the problem, on the less-studied Apple platforms, we conducted a systematic security analysis on MAC OS~X and iOS. Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps' sensitive data. More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS~X and URL Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the app sandbox on OS~X was found to be vulnerable, exposing an app's private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications. To better understand their impacts, we developed a scanner that automatically analyzes the binaries of MAC OS and iOS apps to determine whether proper protection is missing in their code. Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps. Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS~X, helping protect vulnerable apps before the problems can be fully addressed.

References

[1]
1Password - Password Manager and Secure Wallet. https://itunes.apple.com/us/app/1password-password-manager/id443987910?mt=12.
[2]
Clutch. https://github.com/KJCracks/Clutch.
[3]
CocoaHTTPServer. https://github.com/robbiehanson/CocoaHTTPServer.
[4]
Code Signing Services Reference. https://developer.apple.com/library/mac/documentation/Security/Reference/CodeSigningRef/index.html#//apple_ref/doc/constant_group/Attribute_Selector_Dictionary_Keys.
[5]
CWE-283: Unverified Ownership. https://cwe.mitre.org/data/definitions/283.html.
[6]
CWE-377: Insecure Temporary File. https://cwe.mitre.org/data/definitions/377.html.
[7]
DTRACE. https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/dtrace.1.html.
[8]
Hopper V3, the OSX and Linux Disassembler. http://www.hopperapp.com/.
[9]
Insecure Handling of URL Schemes in Apple's iOS. http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes-apples-ios/.
[10]
iOS Masque Attack Revived: Bypassing Prompt for Trust and App URL Scheme Hijacking. https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html.
[11]
Keychain Services Reference. https://developer.apple.com/library/mac/documentation/Security/Reference/keychainservices/index.html#//apple_ref/c/func/SecKeychainItemDelete.
[12]
OS X ABI Mach-O File Format Reference. https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/index.html#//apple_ref/doc/uid/TP40000895.
[13]
OS X Keychain Services Tasks. https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/03tasks/tasks.html#//apple_ref/doc/uid/TP30000897-CH205-TP9.
[14]
QtWebKit. http://qt-project.org/wiki/QtWebSockets.
[15]
Supporting materials. https://sites.google.com/site/xarasubmission/.
[16]
The WebSocket API. http://www.w3.org/TR/websockets/.
[17]
E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM.
[18]
L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In Proceedings of the 13th International Conference on Information Security, ISC'10, Berlin, Heidelberg, 2011. Springer-Verlag.
[19]
M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2011.
[20]
A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In USENIX Security Symposium, 2011.
[21]
M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In the 19th Annual Symposium on Network and Distributed System Security, 2012.
[22]
J. Han, S. M. Kywe, Q. Yan, F. Bao, R. H. Deng, D. Gao, Y. Li, and J. Zhou. Launching generic attacks on ios with approved third-party applications. In ACNS, 2013.
[23]
Hayawardh Vijayakumar and Joshua Schiffman and Trent Jaeger. STING: Finding Name Resolution Vulnerabilities in Programs. In Proceedings of the 21st USENIX Security Symposium (USENIX Security 2012), August 2012.
[24]
L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: statically vetting android apps for component hijacking vulnerabilities. In In Proc. of the 2012 ACM conference on Computer and communications security, CCS 2012, ACM.
[25]
R. Wang, L. Xing, X. Wang, and S. Chen. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In the 20th ACM conference on Computer and communications security. ACM, 2013.
[26]
T. Wang, Y. Jang, Y. Chen, S. Chung, B. Lau, and W. Lee. On the feasibility of large-scale infections of ios devices. In 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, Aug. 2014. USENIX Association.
[27]
T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on ios: When benign apps become evil. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 559--572, Berkeley, CA, USA, 2013. USENIX Association.
[28]
L. Xing, X. Pan, R. Wang, K. Yuan, and X. Wang. Upgrading your android, elevating my malware: Privilege escalation through mobile os updating. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, 2014.

Cited By

View all
  • (2022)Cross Miniapp Request ForgeryProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560597(3079-3092)Online publication date: 7-Nov-2022
  • (2021)Key Agreement Over Inter-Process CommunicationIEEE Access10.1109/ACCESS.2021.31173379(137367-137383)Online publication date: 2021
  • (2020)Demystifying Resource Management Risks in Emerging Mobile App-in-App EcosystemsProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417255(569-585)Online publication date: 30-Oct-2020
  • Show More Cited By

Index Terms

  1. Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS~X and iOS

      Recommendations

      Comments

      Please enable JavaScript to view thecomments powered by Disqus.

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
      October 2015
      1750 pages
      ISBN:9781450338325
      DOI:10.1145/2810103
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 12 October 2015

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. MACH-O
      2. OS X
      3. XARA
      4. apple
      5. attack
      6. confuse deputy
      7. cross-app resource access
      8. iOS
      9. program analysis
      10. vulnerability

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      CCS'15
      Sponsor:

      Acceptance Rates

      CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;
      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)47
      • Downloads (Last 6 weeks)5
      Reflects downloads up to 20 Dec 2024

      Other Metrics

      Citations

      Cited By

      View all
      • (2022)Cross Miniapp Request ForgeryProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560597(3079-3092)Online publication date: 7-Nov-2022
      • (2021)Key Agreement Over Inter-Process CommunicationIEEE Access10.1109/ACCESS.2021.31173379(137367-137383)Online publication date: 2021
      • (2020)Demystifying Resource Management Risks in Emerging Mobile App-in-App EcosystemsProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417255(569-585)Online publication date: 30-Oct-2020
      • (2020)All your app links are belong to us: understanding the threats of instant apps based attacksProceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3368089.3409702(914-926)Online publication date: 8-Nov-2020
      • (2020)End-Edge Coordinated Inference for Real-Time BYOD Malware Detection using Deep Learning2020 IEEE Wireless Communications and Networking Conference (WCNC)10.1109/WCNC45663.2020.9120765(1-6)Online publication date: 25-May-2020
      • (2020)Vulnerable Service Invocation And CountermeasuresIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.2936848(1-1)Online publication date: 2020
      • (2020)Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS2020 IEEE Symposium on Security and Privacy (SP)10.1109/SP40000.2020.00023(1056-1070)Online publication date: May-2020
      • (2019)Understanding iOS-based crowdturfing through hidden UI analysisProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361391(765-781)Online publication date: 14-Aug-2019
      • (2019)Devils in the guidanceProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361390(747-764)Online publication date: 14-Aug-2019
      • (2019)State of the SandboxProceedings of the 18th ACM Workshop on Privacy in the Electronic Society10.1145/3338498.3358654(150-161)Online publication date: 11-Nov-2019
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media