I think you'll agree with me when I say: Apple devices are often considered to be more safe and secure than other devices that run on platforms like Windows and Android, but a recent study will make you think twice before making this statement.
A group of security researchers have uncovered potentially deadly zero-day vulnerabilities in both iOS and OS X operating systems that could put iPhone/iPad or Mac owners at a high risk of cyber attacks.
Researchers have created and published a malicious app on the App Store that was able to siphon users’ personal data from the password storing Keychain in Apple's OS X, as well as steal passwords from iCloud, banking and email accounts.
Dubbed XARA (cross-app resource access), the malware exploit app was able to bypass the OS X sandboxing mechanisms that are supposedly designed to prevent an app from accessing the credentials, contacts, and other important data related to other apps.
The Consequences are Dire!
In their paper, titled "Unauthorized Cross-App Resource Access on MAC OS X and iOS" [PDF], the researchers claim that once installed, their app can obtain data from applications such as Dropbox, Facebook and Evernote, along with the popular messaging app WeChat, and even siphon passwords from 1Password.
"The consequences are dire," researchers wrote in the paper. "For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system's keychain the passwords and secret tokens of iCloud, email and all kinds of social networks...bank and Gmail passwords from Google Chrome."
The Researchers also noted that the hack attack is only possible when the attributes of the victim’s keychain item are predictable. However, most of the services share the same name across Keychain stores.
The Keychain issue stems from its inability to verify which app owns a credential in Keychain, and even the OS doesn’t check for any suspicious activity.
Bypassed Apple’s App Store Security Checks
The malicious app was also able to bypass the Apple’s App store security checks that are designed to ensure one app can not gain access to other apps’ data without permission.
However, the more worrisome part regarding the malicious app is that it was approved by Apple for placement in its App Store, which is supposed to be pre-examine by Apple security engineers for potentially malicious apps.
Apple did not immediately respond to a request for comment.
The zero-day flaws discovered by the Indiana University boffins Xing; Xiaolong Bai; XiaoFeng Wang; and Kai Chen joined Tongxin Li, of Peking University, and Xiaojing Liao, of Georgia Institute of Technology, was reported to Apple last October, but the company requested a 6 month period before making it public.
However, according to their paper, the issues persist and millions of Apple users can still be affected by these zero-day flaws.
How to Protect your Devices
A system-wide update to Apple’s OS X and iOS is the only way to protect yourself fully against these vulnerabilities, the researchers said. However, we are patiently waiting to hear from Apple that how it's planning to resolve this huge issue.
To protect yourselves against such vulnerabilities, users of all operating system platforms are advised to limit the apps they install on their devices to those that are needed and explicitly trusted.