On the XARA Mac and iOS exploits
Web Excursions are select bookmarks from my travels around the interwebs, because I'm always thinking about you while discovering other people's cool stuff. You mean that much to me. You can see all of my (public) bookmarks on Pinboard, and visit the bookmarks archive for curated lists across the last few years.
I’m not a security expert. This post is an opinion interlaced with the things I’ve learned from sources I have faith in. Feel free to clarify or correct me in the comments.
When I saw the news of the XARA1 exploits in an article on The Register, my heart sank. I’ve spent years using security as a point of argument in platform debates. I don’t want to be proven wrong.
The report describes multiple weaknesses in both OS X and iOS centering around the systems that Apple has implemented to allow communication between apps. This is bad news to me, personally, because what’s discouraged me most in recent OS X developments is the clamping down of these systems and the frustration it causes for anyone who wants to work (and automate) outside of the iCloud space.
Most of the vulnerabilities reported are related to “legacy” systems that Apple built on top of the OpenBSD framework, such as the Keychain, url handlers, inter-app communication systems. These are all things that make OS X great to use, so we’re walking the line between security and convenience again. Most of what I do every day relies on these technologies.
It’s stated that Apple had 6 months to — at the very least — prepare a statement. Historically it’s rare that they do anything other than quietly release a patch, but this issue comes down to core technologies that especially affect the third-party developers that make the Apple ecosystem what it is.
In retrospect, the announcements at WWDC already indicated that Apple was taking security measures against the url vulnerabilities, requiring that each app preemptively declare what handlers it can call. That’s a big handicap for the current implementation of apps like Workflow, Drafts, and LaunchCenter Pro, who allow user-defined url schemes to call other apps. This change in the upcoming version seems like an indication that action was being taken. I’m just surprised that there were no publicly visible proactive measures taken against the panic that this report is generating.
The fact that part of the research on the exploits was to successfully publish a malware app to the App Store is frustrating. As a Mac developer, I know that getting through the rigorous review process is sometimes an even bigger hurdle than actually writing an app. I’d like to think that this stringent and detail-focused process at least ends up providing security and quality.
The “malware” that passed through the review wasn’t detectable by static analyzers, and the trojan didn’t do anything a “normal” app wouldn’t do. It used existing systems, such as url handler registration and bundle id spoofing, in ways that exposed serious weaknesses.
I’m sure there will be increased scrutiny of all App Store apps using these systems for communication and credential storage. I’m hoping that we don’t just see the pod bay doors snap shut, but that we’ll see new, more secure means of handling the flexibility some of us love. OS X is my favorite operating system I’ve ever used. iOS has come a long way and is rapidly continuing toward the combination of power and beauty of the desktop platforms.
As far as what you need to know, and actions you need to take, here are the best resources I’ve seen thus far:
- iMore: XARA exploits on Mac, iPhone, and iPad, and what you need to know!
- iMore: XARA, deconstructed: An in-depth look at OS X and iOS cross-app resource attacks
- Agilebits: 1Password inter-process communication: a discussion
- Ars: Serious OS X and iOS flaws let hackers steal keychain, 1Password contents
Acronym for unauthorized cross-app resource access ↩