„XARA, deconstructed“ ➊
Sicherheitsforscher demonstrierten in dieser Woche vier Schwachstellen für Mac OS, eine davon gilt speziell für iOS. Sie betrifft die Datenkommunikation zwischen Apps, die dafür URL-Schemes verwenden.
Nick Arnott verfasste eine verständliche Übersicht:
Unfortunately, despite the fact that this sort of URL scheme hijacking behavior is well-known, there are still many developers that use URL schemes to pass sensitive data between apps. For instance, apps that handle sign-in through a third-party service may pass oauth or other sensitive tokens between apps using URL schemes; two examples mentioned by the researchers are Wunderlist on OS X authenticating with Google and Pinterest on iOS authenticating with Facebook. If a malicious app registers for a URL scheme being used for the above purposes, then it may be able to intercept, use, and transmit that sensitive data to an attacker.
„XARA, deconstructed: An in-depth look at OS X and iOS cross-app resource attacks“
Jeffrey Goldberg beschreibt aus Sicht von 1Password die Problematik, die nicht nur einen Bugfix-Release benötigt, sondern auch dazu zwingt über die zugrundeliegende Architektur nachzudenken.
As always be careful about what software you run and install on your system. […] Now Xing and his team point out that this isn’t a guaranteed way to prevent malware being installed. They were able to get a malicious app approved by the Mac App Store review process. However, I think it is reasonable to assume that now that Apple reviewers know what to look for, it will be much harder for that specific kind of malware to get through.
Für die Verwendung von URL-Schemata unter iOS sucht Apple bereits nach Alternativen, wie Greg Pierce in Bezug auf entsprechende WWDC-Sessions festhielt.
Apple has been adding more secure and reliable ways to do many (but not all) of the things possible with URLs (Extensions, App Links, etc.). Long term these are important changes because it is true that there are implications to the uncontrolled use of URLs that may be exploited.
Update ➊
An Apple spokesperson confirmed Apple has blocked some XARA holes and is investigating more. Cc @macworld pic.twitter.com/NMtwNIVUr0
— Glenn Fleishman (@GlennF) 19. Juni 2015