Apple iOS and OSX sandbox and security fubar

[foxidrive]

An anonymous reader notes a report from El Reg on a major cross-app resource vulnerability in iOS and Mac OS X. Researchers say it's possible to break app sandboxes, bypass App Store security checks, and crack the Apple keychain. The researchers wrote, "specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [malware] to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications." Their full academic paper (PDF) is available online, as are a series of video demos. They withheld publication for six months at Apple's request, but haven't heard anything further about a fix.

Damn security researchers! They should all be shot...

 

[misi]

WeChat ? My wife use it daily!

 

[foxidrive]

There is one solution for people. Don't download any apps.

Oh, and reset the iWidget so it hasn't got any possible malware apps on it.

 

[misi]

There is one solution for people. Don't download any apps.

But they are so tempting!

 

[foxidrive]

But they are so tempting!

Just like Magnums, and I can't say no either!

 

[misi]

Just like Magnums,

Oh yes...
Pages of garbage on my phone, I don't have the heart to remove them...

 

[Guess]

Did someone say Magnums ?

 

[misi]

Did someone say Magnums ?

That word should be banned...

 

[foxidrive]

$6 in Coles, as misi said - I got the espresso versions. very nice!