Critical Security Vulnerability with Keychain and Sandboxing --Both iOS and OS X--

Millertime
New Contributor III

I'm guessing some of you may have already heard about this. For you that haven't, there is a group of researchers that have found a way to break the security for both iOS and OS X keychain and the app sandboxing.

Here is an excerpt from the article,

"Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store. "We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."

The obvious concern here is the potential of a 'Zero Day' exploit that could open our user's up to their credentials and personal information being compromised. Plus Apple is historically been very tight lipped when it comes to keeping their user base informed on when an update/patch may be coming to address issues such as this. So managing expectations with the leadership at your company may be challenging as well.

I will be opening a ticket with Enterprise Apple Care today, telling them to keep my ticket open and to inform me of any updates here. I'd recommend you all do the same, the more people we have engaging them on this the better.

Link with videos of them showing the hack in action.
http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/

Link to their research Paper
https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view?usp=sharing

3 REPLIES 3

mm2270
Legendary Contributor III

Yeah, read about it on MacWorld yesterday afternoon actually.
Another week, another security flaw in OS X/iOS revealed it seems. I've lost track now on the number of security related problems that have surfaced within the last couple of months. Apple's security model is beginning to look more and more like swiss cheese to me. This is what happens when a company's primary focus for years has been to add in as many "magical" features for users as possible, and not very carefully considering all the ways those features may be exploited.
The one piece of good news if there is one, is that it requires an exploited or nefarious app to make its way into Apple's storefronts so it can make use of the app to app calls. So the fix for now is to not install anything from the App Store or Mac App Store. Good luck with that.

The bad news as I currently understand it is this will be a tough one for Apple to plug up, and may fundamentally change the way applications can interoperate. I predict a lot of developers are going to be busy rewriting their software titles once Apple issues new security requirements to address this.

perrycj
Contributor III

@mm2270 while I agree (totally agree) that they are definitely more focused on things like a watch that no one needs or a music service that will probably not be as good as existing services... this exploit or flaw in OSX/iOS is all dependent on specific malicious apps getting installed and then ran. Also, at least on the OSX side, the author fails to mention how they modified the .plist file of their malicious app in the background before recording their video.

I read their 13 page report/paper and it's very thorough. But fact remains, a malicious app needs to be installed on a system and the logged in user has to give it permission to run. Without that happening, keychains, etc are "safe". Also it can take advantage of other Mac App Store apps but I wouldn't go as far as to say you would have to worry about downloading apps which you know are good and from verified sources in the MAS. It's more of a common sense play. No matter the OS(Linux, Windows, OSX, etc), if you install a malicious app, you're probably gonna run in to some trouble.

Apple does need to step up their game though in terms of security and at the very least be more proactive about it. The best we can do is let Apple know this is a problem and provide as much feedback as possible. Bug them even.

bentoms
Release Candidate Programs Tester

Items in an unlocked keychain can be read via the user through the security command, the difference with this exploit is that it adds the malicious apps to keychain items ACL's.

It's part exploit & part "as designed" AFAIK.

I think, the only way that Apple can lock this down further is to limit access to keychain items to only the apps that created them.. or within the apps own sandbox (so like a keychain per app) </shudders>

I'm sure better ideas will come.