What You Need to Know About Recent 'XARA' Exploits Against iOS and OS X

Earlier this week, researchers from several universities published a report exposing a string of security vulnerabilities in iOS and OS X. The vulnerabilities, all labeled as XARA weaknesses, let malicious apps approved on the Mac and iOS App Stores gain access to sensitive data like passwords.

The report details several methods that inter-app interaction services can use to access everything from the Keychain and Websocket on OS X to the URL scheme on iOS and OS X, giving hackers access to sensitive data, including information stored within third-party apps like 1Password, Gmail, Facebook, Twitter, Instagram, Evernote, and more.


Following the release of the report, iMore's Nick Arnott and Rene Ritchie have taken an in-depth look at the XARA weaknesses in a series of posts on the subject, explaining exactly what they do, how they work on iOS and OS X, and the steps that you can take to protect yourself.

The first post from iMore gives a quick overview of what XARA is, explaining that it's a group of exploits that use malicious apps to gain access to secure information by inserting themselves into the middle of a communications chain or sandbox.

OS X, not iOS, is primarily affected by XARA exploits, and the malicious apps are able to be distributed through the Mac App Store and the iOS Store. After being downloaded, an app using XARA exploits waits to intercept data. Ritchie explains how it works:

For OS X Keychains, it includes pre-registering or deleting and re-registering items. For WebSockets, it includes preemptively claiming a port. For Bundle IDs, it includes getting malicious sub-targets added to the access control lists (ACL) of legitimate apps.

For iOS, it includes hijacking the URL scheme of a legitimate app.

iMore's second in-depth XARA post, written by Nick Arnott, goes into even more detail on the XARA weaknesses and details how to determine if you've been affected. On OS X, checking for malicious keychain entries is possible by opening the Keychain Access app, clicking on an item in the list, choosing "Get Info" and looking at the "Access Control" tab to see which apps have access to the Keychain item.

As detailed by Arnott, the only XARA exploit that affects iOS devices is the one that involves URL scheme hijacking, detectable by paying careful attention to apps that open via URL scheme, as they may look slightly different than the real thing.

All that said, you can help protect yourself from URL scheme hijacking if you're paying attention: When URL schemes are called, the responding application gets called to the foreground. This means that even if a malicious app intercepts the URL scheme intended for another app, it will have to come to the foreground to respond. As such, an attacker will have to do a bit of work to pull of this sort of attack without being noticed by the user.

In one of the videos provided by the researchers, their malicious app attempts to impersonate Facebook. Similar to a phishing website that doesn't look quite like the real thing, the interface presented in the video as Facebook may give some users pause: The app presented isn't logged in to Facebook, and its UI is that of a web view, not the native app.

Apple's known about XARA for several months, and according to the researchers who shared the vulnerability with Apple, the company does appear to have tried to fix it several times without success. Avoiding the exploit is relatively simple, as Ritchie and Arnott point out. Avoiding malicious apps can be done by downloading software only from trusted developers and avoiding anything that seems suspicious.

For those interested in learning more about the XARA weaknesses, iMore's overview post on the exploit and the site's more in-depth post are well worth a read.

Update: Apple on Friday provided iMore with the following statement regarding the XARA exploits:

Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store," an Apple spokesperson told iMore. "We have additional fixes in progress and are working with the researchers to investigate the claims in their paper."

Tag: iMore

Top Rated Comments

Shayanftw Avatar
82 months ago
By the time I enter my password on Chrome, my battery has run out
Score: 25 Votes (Like | Disagree)
Saucesome2000 Avatar
82 months ago
"Avoiding malicious apps can be done by downloading software only from trusted developers and avoiding anything that seems suspicious."

Isn't the point and advantage of the Mac App Store supposed to be that the developer's are vetted and trusted as are the apps? How exactly do we know who trusted developers are? Does Apple plan on having a blue checkmark system?

As an Apple fanboy, this should be their number one priority. Security is one of the top features of Apple products over the competition.
Score: 23 Votes (Like | Disagree)
Goldfrapp Avatar
82 months ago
Never shopping at Zara again.
Score: 12 Votes (Like | Disagree)
KALLT Avatar
82 months ago
I think what troubles me more is the complete silence on Apple's part. This has the potential to be a very serious issue and yet you hear nothing about it from your manufacturer. There is a point where Apple really starts to piss me off with this behaviour. You can see that even the developers of AgileBits are pretty much helpless and can't do anything to fix the problem, while their customers expect a secure product. I wonder how other developers of security software look at this.
Score: 9 Votes (Like | Disagree)
Thunderhawks Avatar
82 months ago
I think what troubles me more is the complete silence on Apple's part.
What would you like them to do? Put an ad in the paper?
That kind of stuff needs to be resolved quietly BECAUSE there is no need to broadcast to the hackers.

Also, the people who keep saying that as a fact Apple has done nothing need to read the line where it says they tried (so far unsuccessfully)
Looks like it's not that easy as a poster saying: Just fix it. Flip a switch and we are done!
Score: 9 Votes (Like | Disagree)
Dargoth Avatar
82 months ago
Great. Yet another thing for people who know nothing about computers to freak out about. The number of people who put a little piece of tape on their webcams... I don't even...
Score: 7 Votes (Like | Disagree)

Top Stories

apple california streaming event

Apple Event Announced: 'California Streaming' on September 14 With iPhone 13, Apple Watch Series 7 Expected

Tuesday September 7, 2021 9:03 am PDT by
Apple today announced that it will be holding a special event on Tuesday, September 14 at 10:00 a.m. The event will take place at the Steve Jobs Theater on the Apple Park campus in Cupertino, California. As with WWDC and last year's fall events, this new event will be held digitally with no members of the media invited to attend in person. Apple will likely provide pre-taped segments for...
Apple Prefer Lightning Over USB C Feature

iPhone Sticking With Lightning Port Over USB-C for 'Foreseeable Future'

Tuesday March 2, 2021 9:32 am PST by
Apple will retain the Lightning connector on the iPhone for the "foreseeable future," with no intention of switching to USB-C, according to reliable analyst Ming-Chi Kuo. In spite of much of the industry moving toward USB-C, Apple will not be using it to replace the Lightning connector on the iPhone 13, or indeed on any iPhone model for the time being. In a note seen by MacRumors yesterday,...
youtube apple tv

YouTube Discontinuing 3rd-Generation Apple TV App, AirPlay Still Available

Wednesday February 3, 2021 3:09 pm PST by
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option. A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
original iphone

Phil Schiller Says iPhone Was 'Earth-Shattering' Ten Years Ago and Remains 'Unmatched' Today

Monday January 9, 2017 7:15 am PST by
To commemorate the tenth anniversary of the iPhone, Apple marketing chief Phil Schiller sat down with tech journalist Steven Levy for a wide-ranging interview about the smartphone's past, present, and future. The report first reflects upon the iPhone's lack of support for third-party apps in its first year. The argument inside Apple was split between whether the iPhone should be a closed...
iOS 15 icon on phone

Apple Seeds Sixth Betas of iOS and iPadOS 15 to Developers

Tuesday August 17, 2021 10:05 am PDT by
Apple today seeded the sixth betas of iOS and iPadOS 15 to developers for testing purposes, with the updates coming one week after Apple released the fifth betas. Registered developers can download the profile for the iOS and iPadOS betas from the Apple Developer Center, and once the profile is installed, beta updates will be available over the air. iOS 15 is a major update that...
maroon5memories

Apple Collaborates With Maroon 5 to Add 'Memories' Song to Photos App

Wednesday September 25, 2019 12:02 pm PDT by
Apple has teamed up with Maroon 5 to add the group's new song "Memories" to the Memories feature in the Photos app, allowing it to be used for photo slide show creations, reports Billboard. "Memories" will be available as a soundtrack option for a limited time and it is available to iPhone and iPad users running the latest iOS 13 and iPadOS software. Memories in the Photos app are created ...
it home ecommerce app iphone 13

iPhone 13 to Launch on September 17, AirPods 3 on September 30, Claims Report

Wednesday August 25, 2021 2:42 am PDT by
Apple may be planning to launch the iPhone 13 on Friday, September 17 and third-generation AirPods on Thursday, September 30, according to an image of an e-commerce app discovered by Chinese language site IT Home. The screenshot, originally posted by Weibo account @PandaIsBald, suggests all four iPhone 13 models will go on sale on September 17, followed by the AirPods 3 on September 30....
MacBook Pro Coating

Apple Launches Quality Program for MacBook Pro Anti-Reflective Coating Issues

Saturday October 17, 2015 7:58 am PDT by
Apple has issued an internal notice about a new Quality Program that addresses anti-reflective coating issues on MacBook and MacBook Pro models with Retina displays, as confirmed by multiple sources. These issues include the anti-reflective coating on displays wearing off or delaminating under certain circumstances. Apple will replace Retina displays on affected MacBook or MacBook Pro models ...
iPhone 13 Dummy Thumbnail 2

Full iPhone 13 Feature Breakdown: Everything Rumors Say We Can Expect

Tuesday August 31, 2021 7:50 am PDT by
With the launch of Apple's iPhone 13 lineup believed to be just a few weeks away, we have compiled all of the coherent rumors from our coverage over the past year to build a full picture of the features and upgrades coming to the company's new smartphones. For clarity, only explicit improvements, upgrades, and new features compared to the iPhone 12 lineup are listed. It is worth noting that...
iphone 12 colors 2021

iPhone 12 Colors: Deciding on The Right Color

Thursday November 5, 2020 8:35 am PST by
The iPhone 12 and iPhone 12 Pro arrived in October 2020 in a range of color options, with entirely new hues available on both devices, as well as some popular classics. The 12 and 12 Pro have different color choices, so if you have your heart set on a particular shade, you might not be able to get your preferred model in that color. iPhone 12 mini and iPhone 12 The iPhone 12 mini and iPhone...