Just weeks after Apple CEO Tim Cook delivered a blistering speech on privacy and security, researchers have once again cast a shadow on the perception of the company’s devices and applications being a more secure option.
The group of academics created malware and were able to get it onto the App Store, while also proving the ability to launch “devastating” attacks and steal sensitive personal data, Forbes reported yesterday (June 17).
“The attacks, known as unauthorized cross-app resource access or XARA, expose design flaws that allow a bad app to access critical pieces of data in other apps. As a result, Apple has struggled to fix the issues,” Forbes said. “Analysis of 1,612 of the most popular Mac apps and 200 iOS apps found more than 88.6 percent of the kit using the flawed pieces of the operating systems were exposed to the XARA attacks, leaving all kinds of data out in the open for willing hackers.”
The team behind the discovery is made up of researchers from Indiana University Bloomington, Peking University and the Georgia Institute of Technology. In the paper, titled “Unauthorized Cross-App Resource Access on MAC OS X and iOS,” the group laid out the details of its systematic security analysis and discovery of a series of high-impact security weaknesses, which were reported to Apple on Oct. 15, 2014.
“Our malicious apps successfully went through Apple’s vetting process and were published on Apple’s Mac App Store and iOS App Store,” Luyi Xing told The Register.
“We completely cracked the keychain service — used to store passwords and other credentials for different Apple apps — and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps,” Xing continued.
The group also plans to release a program that detects exploit attempts on Apple’s OS X; the tool will go live on the XARA site upon completion.
“It remains unclear how Apple plans to mitigate these threats going forward, as it would require significant architectural alterations to the way OS X and iOS interact with apps,” AppleInsider reported.
“In the meantime, users are advised to follow standard security precautions: Do not install apps from unknown sources and be cognizant of any suspicious password prompts,” they added.
To check out what else is HOT in the world of payments, click here.