The Mac and the App Store have always been a great source for the provision of apps but some of them has a different intended purpose that harm user's privacy and we refer to them as malicious. On the upstart of this week researchers have unveiled a vulnerability in iOS and OS X called the XARA weakness which can exploit sensitive data stored on the Apple devices. These approved malicious apps can gain pass to passwords and other information without the user knowing.
Furthermore, the report entails various ways how in app services can access your personal data from password keeping in Keychain on iOS and Websocket on OS X to the URL scheme of the two platforms from the same company. This gives hackers the ability to track down and get hold of personal data stored in various applications. Apart from the password access, hacker can also gain access to information stored on applications such as Facebook, Twitter, Evernote, Instagram, 1Paswword, Gmail and more.
OS X Is Primarily Affected And Not The iOS
Rene Ritchie and Nick Arnott of iMore have taken the liberty to dig deep inside the vulnerability present on the iOS and OS X. In several different posts, the iMore team explained notably how the vulnerability is exploited, what exactly do these accessible sources do and what are the best possible ways for a user to protect his or her personal data.
iMore initiated with an introduction to the XARA and how it performs. According to them XARA is a cluster of exploits that attach themselves with the malicious apps so they can have an access to the personal data of an individual. XARA weakness on the iOS and OS X gets in the middle of the sandbox or the communication chain to have access to the sensitive data. Ritchie explains the working of the XARA:
For OS X Keychains, it includes pre-registering or deleting and re-registering items. For WebSockets, it includes preemptively claiming a port. For Bundle IDs, it includes getting malicious sub-targets added to the access control lists (ACL) of legitimate apps.
For iOS, it includes hijacking the URL scheme of a legitimate app.
So it seems that the XARA weakness holstering app waits to intercept data untill appropriate actions are taken in favor of the exploit. Primarily, OS X is affected by the XARA exploits and not iOS and there is a wide array of distribution on the iOS and the OS X App Stores.
The second post was an even in detail hosting XARA by Arnott. It dealt in knowing the way if the user had been affected. Check the keychain entries on the Keychain app on OS X. Select an item in the list and and choose to 'Get Info'. Then looking at the Access Control you can see which applications have access to the keychain items.
Among the iOS exploits that are present, only the URL scheme hijacking affects the users. They can be detected through careful observation of the applications that open via URL scheme. They may be slightly tweaked than the original. Arnott states:
All that said, you can help protect yourself from URL scheme hijacking if you're paying attention: When URL schemes are called, the responding application gets called to the foreground. This means that even if a malicious app intercepts the URL scheme intended for another app, it will have to come to the foreground to respond. As such, an attacker will have to do a bit of work to pull of this sort of attack without being noticed by the user.
In one of the videos provided by the researchers, their malicious app attempts to impersonate Facebook. Similar to a phishing website that doesn't look quite like the real thing, the interface presented in the video as Facebook may give some users pause: The app presented isn't logged in to Facebook, and its UI is that of a web view, not the native app.
Its surprising how Apple knew of the XARA exploits and could not do anything that could halt the process of exploitation to save users personal and sensitive data. However, there is a very simple way to avoid data exploitation via XARA weakness. The user should avoid downloading apps from third parties or keep it limited to the trusted ones, as recalled by Arnot and Ritchie. This is it for now, comment your thoughts about the exploit.