What You Need to Know About Recent 'XARA' Exploits Against iOS and OS X

[MacRumors]

Earlier this week, researchers from several universities published a report exposing a string of security vulnerabilities in iOS and OS X. The vulnerabilities, all labeled as XARA weaknesses, let malicious apps approved on the Mac and iOS App Stores gain access to sensitive data like passwords.

The report details several methods that inter-app interaction services can use to access everything from the Keychain and Websocket on OS X to the URL scheme on iOS and OS X, giving hackers access to sensitive data, including information stored within third-party apps like 1Password, Gmail, Facebook, Twitter, Instagram, Evernote, and more.

Following the release of the report, iMore's Nick Arnott and Rene Ritchie have taken an in-depth look at the XARA weaknesses in a series of posts on the subject, explaining exactly what they do, how they work on iOS and OS X, and the steps that you can take to protect yourself.

The first post from iMore gives a quick overview of what XARA is, explaining that it's a group of exploits that use malicious apps to gain access to secure information by inserting themselves into the middle of a communications chain or sandbox.

OS X, not iOS, is primarily affected by XARA exploits, and the malicious apps are able to be distributed through the Mac App Store and the iOS Store. After being downloaded, an app using XARA exploits waits to intercept data. Ritchie explains how it works:

For OS X Keychains, it includes pre-registering or deleting and re-registering items. For WebSockets, it includes preemptively claiming a port. For Bundle IDs, it includes getting malicious sub-targets added to the access control lists (ACL) of legitimate apps.

For iOS, it includes hijacking the URL scheme of a legitimate app.

iMore's second in-depth XARA post, written by Nick Arnott, goes into even more detail on the XARA weaknesses and details how to determine if you've been affected. On OS X, checking for malicious keychain entries is possible by opening the Keychain Access app, clicking on an item in the list, choosing "Get Info" and looking at the "Access Control" tab to see which apps have access to the Keychain item.

As detailed by Arnott, the only XARA exploit that affects iOS devices is the one that involves URL scheme hijacking, detectable by paying careful attention to apps that open via URL scheme, as they may look slightly different than the real thing.

All that said, you can help protect yourself from URL scheme hijacking if you're paying attention: When URL schemes are called, the responding application gets called to the foreground. This means that even if a malicious app intercepts the URL scheme intended for another app, it will have to come to the foreground to respond. As such, an attacker will have to do a bit of work to pull of this sort of attack without being noticed by the user.

In one of the videos provided by the researchers, their malicious app attempts to impersonate Facebook. Similar to a phishing website that doesn't look quite like the real thing, the interface presented in the video as Facebook may give some users pause: The app presented isn't logged in to Facebook, and its UI is that of a web view, not the native app.

Apple's known about XARA for several months, and according to the researchers who shared the vulnerability with Apple, the company does appear to have tried to fix it several times without success. Avoiding the exploit is relatively simple, as Ritchie and Arnott point out. Avoiding malicious apps can be done by downloading software only from trusted developers and avoiding anything that seems suspicious.

For those interested in learning more about the XARA weaknesses, iMore's overview post on the exploit and the site's more in-depth post are well worth a read.

Update: Apple on Friday provided iMore with the following statement regarding the XARA exploits:

Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store," an Apple spokesperson told iMore. "We have additional fixes in progress and are working with the researchers to investigate the claims in their paper."

Article Link: What You Need to Know About Recent 'XARA' Exploits Against iOS and OS X

 

[0000757]

So, overall, responsible computing should help people avoid being targeted?

Still though, this should be a top priority at Apple to get fixed.

Is there any report as to wether this vulnerability exists in El Capitan or iOS 9?

 

[Crosscreek]

Nuf talking, FIXIT.


Update: Apples statement leaves a lot to be desired. Apple is the new Windows. Time for full security software I guess.

 

[Saucesome2000]

"Avoiding malicious apps can be done by downloading software only from trusted developers and avoiding anything that seems suspicious."

Isn't the point and advantage of the Mac App Store supposed to be that the developer's are vetted and trusted as are the apps? How exactly do we know who trusted developers are? Does Apple plan on having a blue checkmark system?

As an Apple fanboy, this should be their number one priority. Security is one of the top features of Apple products over the competition.

 

[Benjamin Frost]

Thanks for this useful article, MacRumors.

I read the iMore report. It seems that the best thing to do is not use third party apps like 1Password for sensitive data such as passwords. Keep using iCloud and Keychain, but don't allow apps like FaceBook, Chrome, Evernote etc. to store or access sensitive data, or preferably, don't use those apps at all, but stick to first party alternatives like Notes, Mail or iMessage.

 

[Shayanftw]

By the time I enter my password on Chrome, my battery has run out

 

[allanfries]

So, only download apps from the app store. Problem solved?

 

[Saucesome2000]

So, only download apps from the app store. Problem solved?

"the malicious apps are able to be distributed through the Mac App Store and the iOS Store"

 

[sniffies]

Never shopping at Zara again.

 

[KALLT]

It seems that the best thing to do is not use third party apps like 1Password for sensitive data such as passwords. Keep using iCloud and Keychain, but don't allow apps like FaceBook, Chrome, Evernote etc. to store or access sensitive data, or preferably, don't use those apps at all, but stick to first party alternatives like Notes, Mail or iMessage.

The problem is not so much that these third-party apps themselves cannot be trusted, the problem is more that malicious apps can interfere with pretty much any app, whether sandboxed or not. Using only Apple's apps will not alleviate the problem if you have an app installed that uses this vulnerability.

 

[Dj64Mk7]

As detailed by Arnott, the only XARA exploit that affects OS devices is the one that involves URL scheme hijacking, detectable by paying careful attention to apps that open via URL scheme, as they may look slightly different than the real thing.Apple's known about XARA for several months, and according to the researchers who shared the vulnerability with Apple, the company does appear to have tried to fix it several times without success. Avoiding the exploit is relatively simple, as Ritchie and Arnott point out. Avoiding malicious apps can be done by downloading software only from trusted developers and avoiding anything that seems suspicious.

In this paragraph, the highlited "OS" should say iOS.

 

[Benjamin Frost]

The problem is not so much that these third-party apps themselves cannot be trusted, the problem is more that malicious apps can interfere with pretty much any app, whether sandboxed or not. Using only Apple's apps will not alleviate the problem if you have an app installed that uses this vulnerability.

I agree.

What I'm trying to say is that, for the time being, the safest course of action is probably to withhold downloading or using these third party apps until this vulnerability is resolved.

 

[KALLT]

I think what troubles me more is the complete silence on Apple's part. This has the potential to be a very serious issue and yet you hear nothing about it from your manufacturer. There is a point where Apple really starts to piss me off with this behaviour. You can see that even the developers of AgileBits are pretty much helpless and can't do anything to fix the problem, while their customers expect a secure product. I wonder how other developers of security software look at this.

 

[Data]

I don't understand why Apple is not talking about this in public, one of the reasons i always advice people te get a Mac instead of a PC , looking at prices, is because osx (ans ios ) are much mure secure then the rest out there.

But latley with all the adware like genio ,spybot enz.. mac users are thinking there macs now have viruses aswell as pc's , so why am i still using a mac, and then you get this story about your password apps from apple itself (icloud keychain ) but aswell ass approved apps on both appstores are not secure, how the hell am i going to sell this to my customers, that up untill now thought if they buy a mac they are safe.

I realy think apple should take this kind of stuff more serious then they do now.

 

[H2SO4]

I think what troubles me more is the complete silence on Apple's part. This has the potential to be a very serious issue and yet you hear nothing about it from your manufacturer. There is a point where Apple really starts to piss me off with this behaviour. You can see that even the developers of AgileBits are pretty much helpless and can't do anything to fix the problem, while their customers expect a secure product. I wonder how other developers of security software look at this.

So what’s new?

 

[Thunderhawks]

I think what troubles me more is the complete silence on Apple's part.

What would you like them to do? Put an ad in the paper?
That kind of stuff needs to be resolved quietly BECAUSE there is no need to broadcast to the hackers.

Also, the people who keep saying that as a fact Apple has done nothing need to read the line where it says they tried (so far unsuccessfully)
Looks like it's not that easy as a poster saying: Just fix it. Flip a switch and we are done!

 

[jdawgnoonan]

So you cannot necessarily trust apps in the app store and Apple told no one. Nice. The point of the App Store and the solitary thing that has made iOS more secure has been trust in the App Store and the App vetting process.

 

[coolfactor]

I think what troubles me more is the complete silence on Apple's part. This has the potential to be a very serious issue and yet you hear nothing about it from your manufacturer. There is a point where Apple really starts to piss me off with this behaviour. You can see that even the developers of AgileBits are pretty much helpless and can't do anything to fix the problem, while their customers expect a secure product. I wonder how other developers of security software look at this.

I understand and agree with your point about silence from Apple, in principle, but the other side of the equation is the internet. If Apple were to come out and say "Hey, we're aware of this major problem with our "secure keychain" etc.", then the media would be all over it, and the attention would lead to tons of exploit attempts. Silence is sometimes the best course of action.

My main concern is that the silence makes us wonder "are they doing anything at all about it?"

If I'm correct, one major ingredient is that any app can delete any keychain item... is that correct? If Apple closes that loophole, it would make this "glitch" so much more difficult to compromise.

 

[mkeeley]

So, only download apps from the app store. Problem solved?

Not sure if you were being sarcastic or just can't read but it clearly states that malicious apps can be downloaded fro the app store.

 

[Quu]

One way Apple could fix this is by having certain local port numbers registered by the software when first installed. That way local communication between software on the system can be assured the ports they use to communicate can't be hijacked by other processes on the system.

Then once you uninstall the software those ports are de-registered and opened up for all software on the system to use. They could even have it pop up a box if you tried to launch an Application that tries to use a registered port and let the user know that port number is already registered to another application.

I have written an application previously that had to communicate with local sockets and as I didn't have the luxury of the system I just described above I instead opted for a pre-shared key between the software and used encryption but as 1Password noted in their blog post, encryption schemes can be broken so it's not an optimal solution.

 

[Dargoth]

Great. Yet another thing for people who know nothing about computers to freak out about. The number of people who put a little piece of tape on their webcams... I don't even...

 

[Data]

Great. Yet another thing for people who know nothing about computers to freak out about. The number of people who put a little piece of tape on their webcams... I don't even...

Keeps you out of the picture ,lol.

 

[Zakzilla]

I agree.

What I'm trying to say is that, for the time being, the safest course of action is probably to withhold downloading or using these third party apps until this vulnerability is resolved.

This. Apple takes the mysterious approach too far. WWDC and product roadmap? Fine. But security issues? Come on.

 

[Tech198]

Well.. Apple just likes to ignore things don't they until THEY can confirm .... I can understand.... Most IT users only trust themselves too.... security wise too..... I do the same hey i'm not ashamed to admit it.

Trusting sources, but how can u trust the Mac app store anymore when u know malicious apps can get through ?

At least this was always a 'safe haven'' Not anymore..

All i know is, this is gonna be one hell of a MacBreak Weekly

 

[Will do good]

So, is 1 Password not to be trusted or use?