There is a research paper entitled Unauthorized Cross-App Resource Access on MAC OS X and iOS announced by The Register and picked up by Macrumors claiming that
security researchers have totally pwn'd Apple's sandbox security.
They are quoted as saying:
"We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."
"Completely cracked" is a pretty lofty and broad claim. I examined their paper to
better understand flaws they claimed to have found.
They make four claims:
- Malicious apps can create keychain entries that are the same as the entries for other apps
and steal their passwords.
- Apple's review process doesn't verify "subtarget" bundle naming.
- There's no authentication in Websocket for a server running on the local machine.
- There's no registration or authentication mechanism for which apps register URL scheme handlers.
The researchers say items 1 and 2 affect OS X but not iOS. While items 3 and 4 affect both OS X and iOS.
I don't know enough about claims 1 and 2 beyond saying that if what they described is true, it sounds
worrying, but contrary to the headlines, it's not the end of the world for Keychain.
It's also important to understand that most apps on OS X (unlike iOS) aren't
installed through the App Store and don't need to be sandboxed, which is why it's
still so important that users only install apps from trusted sources AND trusted publishers.
Their paper also acknowledges that Apple has already resolved some of the Keychain
account name issues.
The world outside your app is untrusted
Their claims about the remaining issues are troubling, not because they are flaws,
but because they're obviously (to your average developer) not flaws. They are activities
happening in the untrusted world outside of the app sandbox and as such the app is responsible for
validating data received by such IPC method and protecting (ie. encrypting) data
sent via them.
Regarding websockets, (#3) a client should always have a mechanism for
making sure the port it's connecting to is running the server it expects to be there.
To blindly assume a port with a certain number is your app's server is a problem
with the app, not the operating system.
To assume a given url scheme handler, something that the app has no control over
is being handled by a friendly app is a problem with the app. Apps should use
mechanisms to ensure that data sent via schemes is only readable by approved apps
using standard protection mechanisms. (ie. encrypting with a shared secret, etc.)
That the researchers would point to these two behaviors which well-known, outlined
in Internet standards documents and shared across Internet connected devices and
say: "we identified...new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be
used to steal confidential data from Evernote, Facebook and other high-profile apps.",
which are standard across the Internet, makes me question their competence.