There is a research paper entitled Unauthorized Cross-App Resource Access on MAC OS X and iOS announced by The Register and picked up by Macrumors claiming that security researchers have totally pwn’d Apple’s sandbox security.
They are quoted as saying:
"We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."
“Completely cracked” is a pretty lofty and broad claim. I examined their paper to better understand flaws they claimed to have found.
They make four claims:
- Malicious apps can create keychain entries that are the same as the entries for other apps and steal their passwords.
- Apple’s review process doesn’t verify “subtarget” bundle naming.
- There’s no authentication in Websocket for a server running on the local machine.
- There’s no registration or authentication mechanism for which apps register URL scheme handlers.
The researchers say items 1 and 2 affect OS X but not iOS. While items 3 and 4 affect both OS X and iOS.
I don’t know enough about claims 1 and 2 beyond saying that if what they described is true, it sounds worrying, but contrary to the headlines, it’s not the end of the world for Keychain. It’s also important to understand that most apps on OS X (unlike iOS) aren’t installed through the App Store and don’t need to be sandboxed, which is why it’s still so important that users only install apps from trusted sources AND trusted publishers.
Their paper also acknowledges that Apple has already resolved some of the Keychain account name issues.
The world outside your app is untrusted
Their claims about the remaining issues are troubling, not because they are flaws, but because they’re obviously (to your average developer) not flaws. They are activities happening in the untrusted world outside of the app sandbox and as such the app is responsible for validating data received by such IPC method and protecting (ie. encrypting) data sent via them.
Regarding websockets, (#3) a client should always have a mechanism for making sure the port it’s connecting to is running the server it expects to be there. To blindly assume a port with a certain number is your app’s server is a problem with the app, not the operating system.
To assume a given url scheme handler, something that the app has no control over is being handled by a friendly app is a problem with the app. Apps should use mechanisms to ensure that data sent via schemes is only readable by approved apps using standard protection mechanisms. (ie. encrypting with a shared secret, etc.)
That the researchers would point to these two behaviors which well-known, outlined in Internet standards documents and shared across Internet connected devices and say: “we identified…new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”, which are standard across the Internet, makes me question their competence.