Researchers Figure Out How To Attack Apple Keychain on iPhone and Mac

According to Ars Technica, researchers have found several sneaky ways to steal passwords and other sensitive app information on both the iOS and OS X Apple platforms.  None of them seem to directly attack the secure element – not that this will make users feel better – and Apple is working with the researchers to patch the holes (see article).

The researchers even created proof of concept apps and got them approved on the Apple store.  This is usually considered hard to do because of Apple’s app vetting process.

Since the researchers wrote a paper on the subject and published it, I suspect that there is some hyper-activity going on in Cupertino as Apple attempts to verify and fix the flaws (see paper).  One interesting note – half the research team is Chinese at Chinese universities.  And now that every hacker in the world is aware of this, you can connect the dots …

The flaws fall into three categories:

Password stealing – where the app compromises the security mechanism that controls ACCESS TO passwords in the keychain.

Container cracking – where the app foils the security on containers that contain information like passwords, which are supposed to be available only to the app that owns it.

Scheme hijacking – where a malicious app steals control of particular URL scheme and thereby hijack that app’s data.

Apparently, this is pretty hard to fix.  The researchers disclosed this information to Apple 6 months ago, but the loopholes are still not closed.  Late Friday afternoon, Apple announced that they had done something to stop apps in the Mac app store from being published that exploit these known flaws.  They did not say anything about iPhone or iPad, so I don’t know if it protects those downloads as well.

Of course, until they actually fix the two operating systems, it is really a cat and mouse game.  They can block an app that does ‘x’, but when the app morphs to ‘x1’ they may not catch it.

For now, the only solution is not to install apps unless you absolutely, positively have to.


Leave a Reply

Your email address will not be published. Required fields are marked *