Apple's iOS and OS X platforms have serious, unpatched security flaws that let researchers add malicious apps to both app stores and steal login credentials for iCloud, Mail and third-party services, according to a new academic paper.
"Our malicious apps successfully went through Apple's vetting process and [were] published on Apple's Mac app store and iOS app store," Luyi Xing of Indiana University told the British tech site The Register. "We completely cracked the keychain service — used to store passwords and other credentials for different Apple apps — and sandbox containers on OS X, and also identified new weaknesses ... which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."
MORE: Best Mac Antivirus Software
The researchers, from Indiana, Georgia Tech and Peking University, said they notified Apple in October 2014, but that the company asked that the paper not be published for six months. The flaws still exist in the latest versions of iOS and OS X, the researchers say.
Apple did not immediately reply to a request for comment from Tom's Guide.
The paper, entitled "Unauthorized Cross-App Resource Access on MAC OS X and iOS," details how both platforms fail to fully secure communications between applications, with OS X apparently containing the bulk of the flaws.
"The consequences of these attacks are serious, including leaks of user passwords, secret tokens and all kinds of sensitive documents," the paper states.
YouTube videos posted by Xing demonstrate how malicious OS X apps could steal data from the Evernote app, authentication tokens from iCloud and Facebook usernames and passwords stored locally by Google Chrome. Any login credentials stored in Chrome's password vault were apparently vulnerable.
The team built a tool they called Xavus to detect what it called cross-app resource access (XARA) flaws, and found that nearly 90 percent of the OS X applications it tested were vulnerable, along with 200 iOS ones.
Vulnerable on OS X were the password-management applications 1Password, LastPass and Dashlane; the theft of a master password from any of those would be devastating for a user. On iOS, the researchers found that temporary login credentials could be stolen from Dropbox, Instagram, WhatsApp, Amazon and PayPal, as well as the mobile banking apps for Citibank and U.S. Bank.
Email communications between the researchers and software makers, seen by The Register, indicated that Google had patched Chrome on OS X to no longer be vulnerable to theft of stored third-party passwords. However, the maker of 1Password said it had not found a way to fix the flaw.
The Register said emails between Apple and the researchers showed that the academics had contacted the company in October, and that Apple said it understood how serious the flaws were and had asked the researchers to delay making their findings public for six months. In March, the company asked for an advance copy of the research paper, the emails indicated, but the company did not seem to have subsequently communicated with the researchers.
The flaws are unique to Apple, the researchers say, because of the way Apple lets applications share information.
"The fundamental cause for the XARA flaws is unprotected cross-app resource sharing and communication," the paper states. "Comparing OS X with iOS, the latter is relatively securer simply because it does not support credential sharing (among different apps)."
Fixing the issue would involve greater communication between Apple and third-party software makers, the paper states, regarding exactly what an application should and shouldn't disclose to other applications. The researchers also believe that Apple could do more to secure its app stores.
"We believe that the OS provider can do more to help the app developer and secure its app ecosystem," their paper states. "This is complete[ly] feasible, given the fact that today the Apple Store takes more than a week to approve an app, while the automatic tools like Xavus can be built to detect missing authentication within the app in minutes."
- Apple Pay: Where You Can (and Can't) Use It
- 10 Pros and Cons of Jailbreaking Your iPhone or iPad
- Apple Pay: Can You Trust It?
Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.