Apple said on Friday that it has rolled out a server-side security update designed to address the concerns of cross-app resource access (XARA) exploits, and is currently working with researchers on additional fixes.
In a statement provided to iMore, Apple confirmed knowledge of XARA vulnerabilities and the potential exploits they enable through malicious software on OS X and iOS. Downloaded malware, or nefarious URL schemes, intercepts data being transferred between sandboxed apps, including sensitive information like passwords and authentication keys.
“Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store. We have additional fixes in progress and are working with the researchers to investigate the claims in their paper,” an Apple spokesperson said.
The XARA vulnerabilities were discovered last year, by a team of six researchers working out of Indiana University, Georgia Tech and China’s Peking University. The group informed Apple of the vulnerabilities last October. The company asked that the team withhold their findings from the public for six months.
The flaws allow malicious apps to take advantage of the way OS X and iOS move and store inter-app data. For example, a malicious OS X app could be downloaded from the App Store, (researchers say they were able to get apps containing the malware into both the Mac and iOS App Stores, saying the malware was not detected during the approval process), and could modify the Keychain database and Bundle IDs. The latter controls access to app data. The group also discovered other attacks which would involve WebSockets and URL schemes.