Password-stealing flaws found in Apple iOS and Mac OS X operating systems

Researchers claim Apple ignored their security report for almost nine months - so went public instead

Apple iPhones and Mac OS PCs have been running with a serious security vulnerability for almost nine months, despite security researchers warning Apple of the zero-day flaw.

The latest disclosure suggests that, while Apple smartphones, laptops and desktop computers are not as vulnerable to security flaws as standard PCs, the company itself is not as responsive to reports of security flaws as it ought to be.

In their paper, the researchers from Indiana University, Peking University and Georgia Institute of Technology describe how they uncovered "serious exploitable bugs" in both iOS and Mac OS X. These bugs enabled them to steal passwords from apps installed on the devices.

The researchers claim that they were able to upload malware into the Apple app store for general sale, without Apple's scanning process setting off alerts and blocking the apps. Those apps were able to steal and transmit passwords for a range of other applications and services, including Apple's iCloud, the Mail app and any passwords stored in Google Chrome.

While the attacks highlight weaknesses in Apple's vetting of apps in its curated and controlled app store, the researchers suggest that the way in which their malware was able to steal passwords highlight other weaknesses in Apple's operating systems that Apple so far has not addressed.

"The design of the App sandbox on OS X was found to be vulnerable, exposing an app's private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications," claimed the researchers in their paper.

Part of the problem, claim the researchers, is that while "app sandboxing" in Android is a well established part of its security architecture as an extension to Linux security procedures, the Apple sandboxing features are less well developed.

"Each Android app is given a unique UID and runs as the user. Sensitive resources are assigned to Linux groups such as GPS, Audio and so on. This treatment automatically isolates one app from others under the Linux user and process protection," they claimed. "Unlike Android, which isolates an app solely based upon its UID, the Apple platforms just utilise UIDs to classify apps into groups."

As a result, passwords for one application are insufficiently protected, due to the "lack of app-to-app and app-to-OS authentications". This enables attackers to perpetrate unauthorised cross-app resource access.

Almost 90 per cent of 1,612 free OS X and iOS apps downloaded from official Apple apps stores were found to be "completely exposed" to such attacks - but Apple has yet to address the problem.

You may also be interested in: