Apple iOS, OS X Scarily Easy to Hack, Researchers Say

Apple's iOS and OS X platforms have serious, unpatched security flaws that let researchers add malicious apps to both app stores and steal login credentials for iCloud, Mail and third-party services, according to a new academic paper.

"Our malicious apps successfully went through Apple's vetting process and [were] published on Apple's Mac app store and iOS app store," Luyi Xing of Indiana University told the British tech site The Register. "We completely cracked the keychain service — used to store passwords and other credentials for different Apple apps — and sandbox containers on OS X, and also identified new weaknesses ... which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."

MORE: Best Mac Antivirus Software

The researchers, from Indiana, Georgia Tech and Peking University, said they notified Apple in October 2014, but that the company asked that the paper not be published for six months. The flaws still exist in the latest versions of iOS and OS X, the researchers say.

Apple did not immediately reply to a request for comment from Tom's Guide.

The paper, entitled "Unauthorized Cross-App Resource Access on MAC OS X and iOS," details how both platforms fail to fully secure communications between applications, with OS X apparently containing the bulk of the flaws.

"The consequences of these attacks are serious, including leaks of user passwords, secret tokens and all kinds of sensitive documents," the paper states.

What's Vulnerable

YouTube videos posted by Xing demonstrate how malicious OS X apps could steal data from the Evernote app, authentication tokens from iCloud and Facebook usernames and passwords stored locally by Google Chrome. Any login credentials stored in Chrome's password vault were apparently vulnerable.

The team built a tool they called Xavus to detect what it called cross-app resource access (XARA) flaws, and found that nearly 90 percent of the OS X applications it tested were vulnerable, along with 200 iOS ones.

Vulnerable on OS X were the password-management applications 1Password, LastPass and Dashlane; the theft of a master password from any of those would be devastating for a user. On iOS, the researchers found that temporary login credentials could be stolen from Dropbox, Instagram, WhatsApp, Amazon and PayPal, as well as the mobile banking apps for Citibank and U.S. Bank.

Email communications between the researchers and software makers, seen by The Register, indicated that Google had patched Chrome on OS X to no longer be vulnerable to theft of stored third-party passwords. However, the maker of 1Password said it had not found a way to fix the flaw.

The Register said emails between Apple and the researchers showed that the academics had contacted the company in October, and that Apple said it understood how serious the flaws were and had asked the researchers to delay making their findings public for six months. In March, the company asked for an advance copy of the research paper, the emails indicated, but the company did not seem to have subsequently communicated with the researchers.

The flaws are unique to Apple, the researchers say, because of the way Apple lets applications share information.

"The fundamental cause for the XARA flaws is unprotected cross-app resource sharing and communication," the paper states. "Comparing OS X with iOS, the latter is relatively securer simply because it does not support credential sharing (among different apps)."

Fixing the issue would involve greater communication between Apple and third-party software makers, the paper states, regarding exactly what an application should and shouldn't disclose to other applications. The researchers also believe that Apple could do more to secure its app stores.

"We believe that the OS provider can do more to help the app developer and secure its app ecosystem," their paper states. "This is complete[ly] feasible, given the fact that today the Apple Store takes more than a week to approve an app, while the automatic tools like Xavus can be built to detect missing authentication within the app in minutes."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.