Private I: The App Store's weaknesses and problems already solved

1Password developer AgileBits blogged about what users can do to protect themselves from the (unlikely) event that this bug would be exploited.

1Password developer AgileBits blogged about what users can do to protect themselves from the (unlikely) event that this bug would be exploited.

It's the easiest thing in the world to write a headline that tells you to panic; it's much harder to write one that says something is very wrong, but the odds of it occurring are very low and getting lower. Last week's release of a research paper that showed exploits that were possible in App Store-approved software in iOS and OS via intra-application shared resources was significant. However, most of the media covering it (including us) got the nuance right.

The App Store wasn't compromised, nor is there a way for Internet-distributed malware to make good use of these flaws. Rather, through lengthy work that included consultation with software makers and Apple, it seems that the exploits were grossly mitigated before the paper was released. Finer steps to root out the spots that can be vectors for attack will clearly come.

It's also nice to hear Apple respond quickly and forcefully to a potentially significant security hole. The paper was released on Wednesday, and Apple confirmed that it had made server-side changes and was working with researchers on additional issues.

What should you be concerned with as an app buyer?

Which flaws and which apps

To recap: researchers found four categories of severe flaws, three of which affect only apps in the Mac App Store, and a fourth can be used by malware in the Mac or iOS App Store. An attacker has to develop and get an app approved by Apple, then convince people to obtain it for any of the exploits to be used.

While iOS users have zero choice about where they get apps, Mac users can pick from the App Store or any source. Based on best-selling lists and the abdication from or disinterest in the Mac App Store by some leading developers, most apps downloaded are from Apple or a handful of well-known companies. For a malicious developer to even get to users will require a lot of stars to be in alignment. The high bar makes it unlikely for criminals to try; governments might if they had particular targets in mind and could mask their intent.

The four flaws relate to snooping on keychain password entries, reading app-specific data storage that should be restricted to the app via user-approved conduits (like Evernote), intercepting browser-to-app communication, and--for both iOS and OS X--URL schemas that could contain access tokens being hijacked.

Because all the exploits require submission and approval of an app, Apple should have been able to change its screening process as long ago as October, after the researchers tested submitting apps with malicious inter-application components and having them approved. (The paper's authors removed these apps immediately after approval.)

Apple can also rescreen all apps in the App Store for specifics sorts of uses mentioned in the paper and build it into future approvals. The keychain flaw, in which malware can essentially add itself as a legitimate party to read entries for other apps, should be something Apple can check apps for directly, but also obviously requires some system reengineering.

The statement from the company on Friday said that it has already made one fix: Apple "implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store." That's related to the second flaw I noted above, labeled "container cracking," in which an app's private data can be stolen by a subsystem that registers itself as if it were an already accepted extension.

The URL schema issue is straightforward, in that apps have to include these in a form that can be handed off to the OS. Apple can parse and test for this on both platforms. While apps can't control where a schema redirects--a Facebook authorization request in Pinterest doesn't know whether Facebook or malware has registered the Facebook app's schema--but it can determine where a redirect came from. Developers can put in tests around this to prevent hanky-panky, although Apple may make changes in both OSes that obviate this need.

Researchers found some apps are already resistant to one or more exploits because of particular choices, and these could be turned into best practices or even requirements.

Others respond with advice and tools

AgileBits, makers of 1Password, were called out in the paper specifically, not because they made mistakes, but rather due to their browser plug-in integration, which is extremely useful. Researchers found they could hijack an Internet socket allowed under App Store guidelines and read passwords and other data when a user invoked 1Password to fill in values on a given website.

In a detailed blog post, AgileBits explained the limited circumstances in which this flaw could be exploited, and provided a few concrete ways to avoid it. Specifically, the company says to check "Always Keep 1Password Mini Running" in Preferences > General in its OS X app.

And on Monday, Facebook's security team released an update to a developer tool called osquery that's designed for monitoring OS X and Linux to add a way to check for modifications that relate to three of the exploits; socket-based communication isn't included. The tool is free and part of Facebook's community giveback, in that it profits not a bit (except in positive attention) from making it available. In a blog post, one of the security team's engineers explains how an organization could make use of osquery to monitor continuously for telltale changes and alert an administrator.

There's been a remarkably positive response to this research paper in part because the researchers provided months of upfront disclosure to Apple, AgileBits, and other firms, allowing changes to be put in place and the scope of the problem to be fully understood. Apple said on Friday, "We have additional fixes in progress and are working with the researchers to investigate the claims in their paper."

This interplay of researcher, developer, community, and affected parties is a close to perfect case, especially when a zero-day exploit--one that can be potentially instantly invoked--comes about. I hope this sets a pattern for future security issues.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecurityMac App Storemalware

More about AppleEvernoteFacebookLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place