Researchers have malware that steals passwords App Store iOS and OS X




Researchers say they found critical vulnerabilities in iOS and OS X that Apple have not yet been closed. Through so-called cross-app resource access attacks can be secured passwords from apps while malware can be uploaded to the App Store.

The researchers, from Indiana University, Peking University and the Georgia Institute of Technology, writing in a research report that it is possible in both OS X and iOS to access via a malicious app to data from other apps. So they could cross through the app resource access methodology attack and passwords and tokens for iCloud in the keychain – a ‘safe’ for shared storage of sensitive data within the system – get. In addition, the sandbox principle is circumvented: This security mechanism should be through partitioning software prevent such behavior correct. Other cross-app ‘software layers that Apple has developed, such as WebSocket and Scheme could be abused.

In addition, the researchers say that they have managed to manipulated, malicious apps through the Apple approval process after which they were available in the Mac App Store and the iOS App Store. This would allow attackers to install software on the App Stores deemed safe to do so data captured from other, legitimate apps. According to the researchers showed off a sample that about 88 percent of surveyed OS X and iOS apps can be attacked in this way.

According to the researchers, they have their findings, which they qualify as very serious, reported in October last year at Apple. Apple could have asked for the publication of the investigation certainly postpone for six months in order to address the problems, but when that period expired, the researchers received any feedback from the company based in Cupertino. Thus, the current versions of iOS and OS X are still vulnerable to the security issues described.

Meanwhile, security researchers say they have developed an application which, until there is a fix, cross-app resource access attacks could detect whether this tool has limited value. The researchers give some tips on how app developers can reduce the risk of such attacks.


In: Technology & Gadgets Asked By: [15575 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »