Hackers are scrambling either defend or exploit the new 0 day vulnerability released by 6 University researchers from Indiana University, Peking University, and Georgia Institute of Technology respectively. In a 13 page report these researchers have discovered a way to bypass Apples multi-level security and steal passwords from natively installed applications on your iOS devices. The best (or worst, depending on your situation) part? The researchers have been contacting Apple about this for the last 6 months, to which Apple has not responded with a patch. In accordance with Apples own policy the hack has been released to the public.
What's the Hack?
The hack is known by the research team as XARA, or cross-app resource access, a function in most modern OS's (Operating Systems) including iOS, OSX, and Android. This specific hack, however, is only effecting Apple devices (yes, every single one of them) as of today. Though I don't think anyone would be surprised if a similar exploit was discovered for Android and other operating systems.
What exactly is resource access?
Whenever an application is installed, you, the user, allows the application a set amount of privileges. Depending on what the application needs to function, you may give it access to your camera, your text messages, or your location, among many other functions. Every single one of these things are also applications, and have their own resource access. This is the "sandbox" model the research team talks about in their report. Every app is "sandboxed" into privileges of what it can and cannot do. The hack totally bypasses this. As the app store stands today, a hacker would be able to upload an application to the apple store containing malicious code that, when installed on a device, would bypass this sandboxing security system and give it access to all your data and passwords. Basically, everything on your phone they would be available to the hacker. Through their research, the team found that "in most cases, neither the OS nor the vulnerable app properly authenticates the party it interacts with". After analyzing over 1600 MAC apps and 200 iOS apps, the team found that 88.6% of these applications are exposed to XARA attacks. These attacks can steal Gmail, bank, and iCloud passwords, to name a few.
The issue gets more complicated as one delves into different operating systems, how they implement the sandbox security system, UIDs (for Linux/Android systems), BID's (Apple bundle Id's), and the way in which Apple shares resources between applications. To cover most of the details of these attacks is out of the scope of this article, would probably require content that is already available in the report and which would be redundant to repeat. If you like, you'd be able to glean a much more in-depth look at this in their report.
How to Avoid It
As of now Apple has not released any official statement concerning the XARA vulnerability. Antivirus won't detect it until they update themselves with the malicious code, either. So, it's pretty much undetectable by traditional means.
Don't despair yet!
The hack can only be implemented if the malicious code is installed on your device locally. So, avoiding lesser known applications by a company that has not established themselves well, and is not viewed by the public eye as reputable is recommended. Using your own judgement concerning these applications is also crucial. If you have a jailbroken device, for example, installing unauthorized applications to your phone would be folly. if there is an application on the official app store run by somebody who has no web presence whatsoever, you are probably better off avoiding the application until Apple releases a fix and antivirus's update their databases. If you don't trust your own judgement, consult someone else.
It's important to be careful. It's so easy to just install an application. It's not easy to reset all your passwords, or in the worst case scenario reclaiming your identity and recovering the money in your bank account.
If you enjoyed this article make sure to share it or give it a like.
© 2015, insidious All Rights Reserved.