What You Need to Know About Recent 'XARA' Exploits Against iOS and OS X

Earlier this week, researchers from several universities published a report exposing a string of security vulnerabilities in iOS and OS X. The vulnerabilities, all labeled as XARA weaknesses, let malicious apps approved on the Mac and iOS App Stores gain access to sensitive data like passwords.

The report details several methods that inter-app interaction services can use to access everything from the Keychain and Websocket on OS X to the URL scheme on iOS and OS X, giving hackers access to sensitive data, including information stored within third-party apps like 1Password, Gmail, Facebook, Twitter, Instagram, Evernote, and more.


Following the release of the report, iMore's Nick Arnott and Rene Ritchie have taken an in-depth look at the XARA weaknesses in a series of posts on the subject, explaining exactly what they do, how they work on iOS and OS X, and the steps that you can take to protect yourself.

The first post from iMore gives a quick overview of what XARA is, explaining that it's a group of exploits that use malicious apps to gain access to secure information by inserting themselves into the middle of a communications chain or sandbox.

OS X, not iOS, is primarily affected by XARA exploits, and the malicious apps are able to be distributed through the Mac App Store and the iOS Store. After being downloaded, an app using XARA exploits waits to intercept data. Ritchie explains how it works:

For OS X Keychains, it includes pre-registering or deleting and re-registering items. For WebSockets, it includes preemptively claiming a port. For Bundle IDs, it includes getting malicious sub-targets added to the access control lists (ACL) of legitimate apps.

For iOS, it includes hijacking the URL scheme of a legitimate app.

iMore's second in-depth XARA post, written by Nick Arnott, goes into even more detail on the XARA weaknesses and details how to determine if you've been affected. On OS X, checking for malicious keychain entries is possible by opening the Keychain Access app, clicking on an item in the list, choosing "Get Info" and looking at the "Access Control" tab to see which apps have access to the Keychain item.

As detailed by Arnott, the only XARA exploit that affects iOS devices is the one that involves URL scheme hijacking, detectable by paying careful attention to apps that open via URL scheme, as they may look slightly different than the real thing.

All that said, you can help protect yourself from URL scheme hijacking if you're paying attention: When URL schemes are called, the responding application gets called to the foreground. This means that even if a malicious app intercepts the URL scheme intended for another app, it will have to come to the foreground to respond. As such, an attacker will have to do a bit of work to pull of this sort of attack without being noticed by the user.

In one of the videos provided by the researchers, their malicious app attempts to impersonate Facebook. Similar to a phishing website that doesn't look quite like the real thing, the interface presented in the video as Facebook may give some users pause: The app presented isn't logged in to Facebook, and its UI is that of a web view, not the native app.

Apple's known about XARA for several months, and according to the researchers who shared the vulnerability with Apple, the company does appear to have tried to fix it several times without success. Avoiding the exploit is relatively simple, as Ritchie and Arnott point out. Avoiding malicious apps can be done by downloading software only from trusted developers and avoiding anything that seems suspicious.

For those interested in learning more about the XARA weaknesses, iMore's overview post on the exploit and the site's more in-depth post are well worth a read.

Update: Apple on Friday provided iMore with the following statement regarding the XARA exploits:

Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store," an Apple spokesperson told iMore. "We have additional fixes in progress and are working with the researchers to investigate the claims in their paper."

Tag: iMore

Top Rated Comments

(View all)
Avatar
67 months ago
By the time I enter my password on Chrome, my battery has run out
Score: 25 Votes (Like | Disagree)
Avatar
67 months ago
"Avoiding malicious apps can be done by downloading software only from trusted developers and avoiding anything that seems suspicious."

Isn't the point and advantage of the Mac App Store supposed to be that the developer's are vetted and trusted as are the apps? How exactly do we know who trusted developers are? Does Apple plan on having a blue checkmark system?

As an Apple fanboy, this should be their number one priority. Security is one of the top features of Apple products over the competition.
Score: 23 Votes (Like | Disagree)
Avatar
67 months ago
Never shopping at Zara again.
Score: 12 Votes (Like | Disagree)
Avatar
67 months ago
I think what troubles me more is the complete silence on Apple's part. This has the potential to be a very serious issue and yet you hear nothing about it from your manufacturer. There is a point where Apple really starts to piss me off with this behaviour. You can see that even the developers of AgileBits are pretty much helpless and can't do anything to fix the problem, while their customers expect a secure product. I wonder how other developers of security software look at this.
Score: 9 Votes (Like | Disagree)
Avatar
67 months ago

I think what troubles me more is the complete silence on Apple's part.

What would you like them to do? Put an ad in the paper?
That kind of stuff needs to be resolved quietly BECAUSE there is no need to broadcast to the hackers.

Also, the people who keep saying that as a fact Apple has done nothing need to read the line where it says they tried (so far unsuccessfully)
Looks like it's not that easy as a poster saying: Just fix it. Flip a switch and we are done!
Score: 9 Votes (Like | Disagree)
Avatar
67 months ago
Great. Yet another thing for people who know nothing about computers to freak out about. The number of people who put a little piece of tape on their webcams... I don't even...
Score: 7 Votes (Like | Disagree)

Top Stories

Apple-Acquired Dark Sky Officially Shuts Down Android App

Saturday August 1, 2020 3:43 pm PDT by
Apple in March purchased weather app Dark Sky, and at that time, Dark Sky's developers said that the app's Android version would be discontinued on July 1, 2020. However, instead of shuttering the app on that date, the app's developers announced that the discontinuation would be delayed for another month. Now that it's August, Android users are no longer able to access the app, and...

Apple May Launch This Year's 'iPhone 12' Lineup in Two Stages, With 6.1-inch Models Debuting First

Monday August 3, 2020 3:14 am PDT by
Apple last week confirmed that its "‌iPhone‌ 12" launch will be delayed this year due to the ongoing global health crisis and restrictions on travel. Apple last year started selling iPhones in late September, but this year, Apple projects supply will be "available a few weeks later," suggesting a release sometime in October. We're expecting a total of four OLED iPhones in 5.4, 6.1, and...

Top Stories: Try the 5.4-Inch iPhone 12 Display Size, Blockbuster Earnings, Tim Cook at Antitrust Hearing

Saturday August 1, 2020 6:00 am PDT by
Another busy week of Apple news and rumors has wrapped up, with a lot of focus on Tim Cook's appearance at a Congressional antitrust hearing and a blockbuster earnings report. Subscribe to the MacRumors YouTube channel for more videos. We continued to hear rumors about the upcoming iPhone 12 lineup, including a rare admission from Apple that the lineup will launch "a few weeks later" than...

Just How Small Will the 5.4-Inch iPhone 12 Screen Be? Try It Out for Yourself

Tuesday July 28, 2020 12:57 pm PDT by
As rumors of the iPhone 12 have continued to build over the past few months, the one model that has the most excitement around it is the smallest 5.4" model. The iPhone 12 is believed to be coming in 5.4", 6.7", and 6.1" sizes. Dummy models have shown how much smaller the 5.4" is compared to the rest of the iPhone lineup. The upcoming 5.4" iPhone falls in-between the size of the original...

Unreleased iPod Touch with Mac Pro Glossy Black Finish Shared Online

Sunday August 2, 2020 11:32 am PDT by
Twitter user @DongleBookPro has today posted images of what seems to be a first-generation iPod Touch prototype with a 2013 Mac Pro-style glossy black finish. The Twitter user claims that the iPod Touch prototype pictured has "the same coating as the 2013 Mac Pro." Had the finish been selected for the final product, it also would have been similar to the metallic glossy black finish that...

Apple Confirms This Year's iPhone 12 Models Will Be a Little Bit Late

Thursday July 30, 2020 2:34 pm PDT by
During today's earnings call covering the third fiscal quarter of 2020 (second calendar quarter) Apple CFO Luca Maestri confirmed that Apple is expecting to release this year's iPhones later than usual. Maestri said that Apple last year started selling iPhones in late September, but this year, Apple projects supply will be "available a few weeks later." Multiple rumors have suggested that ...

Battery Likely for Upcoming Apple Watch Series 6 Filed in Certification Listings

Saturday August 1, 2020 5:46 am PDT by
A battery likely for the upcoming Apple Watch Series 6 has been filed at the Korea Testing and Research Institute and discovered by a Twitter user @yabhishekhd. Certification for a 1.17Wh battery with a capacity of 303.8mAh was issued on June 23 by the KTR, a Korean regulatory body that approves and tests new hardware ahead of public sale. The battery seems to be destined for a future...

Apple Watch Series 6 to Feature Blood Oxygen Monitoring Sensor

Friday July 31, 2020 1:56 am PDT by
The Apple Watch Series 6 will add blood oxygen monitoring to its features list when it's launched later this year, according to a new report from DigiTimes. Apple Watch 6 will feature biosensors that can monitor sleeping conditions, detect blood oxygen and measure pulse rates, heartbeats and atrial fibrillation, and will also incorporate MEMS-based accelerometer and gyroscope, all allowing the ...

Apple Marks Return of NHL With New 'Hockey Tape' Ad Shot on iPhone 11 Pro

Saturday August 1, 2020 2:33 am PDT by
Apple today marked the return of NHL hockey with a new "Shot on iPhone" ad on its YouTube channel in Canada. Titled "Hockey Tape," the 30-second video features Vegas Golden Knights players Marc-André Fleury and Mark Stone having some on-ice fun with the iPhone 11 Pro, which they attach to the boards, a hockey stick, and a skate with hockey tape. "See the game like never before with Ultra ...

Emails Reveal Why Steve Jobs and Phil Schiller Blocked In-App Purchase of Kindle Books

Friday July 31, 2020 6:25 am PDT by
Internal Apple emails, made public by the House Judiciary Committee's antitrust inquiry, have revealed information about why Apple blocked in-app purchases of Kindle books on iOS devices, reports The Verge. Two sets of emails between Steve Jobs, Phil Schiller, Eddy Cue, and various other senior Apple executives, disclose the exact thinking behind how Apple approached Kindle on iOS. The...