What You Need to Know About Recent 'XARA' Exploits Against iOS and OS X

Earlier this week, researchers from several universities published a report exposing a string of security vulnerabilities in iOS and OS X. The vulnerabilities, all labeled as XARA weaknesses, let malicious apps approved on the Mac and iOS App Stores gain access to sensitive data like passwords.

The report details several methods that inter-app interaction services can use to access everything from the Keychain and Websocket on OS X to the URL scheme on iOS and OS X, giving hackers access to sensitive data, including information stored within third-party apps like 1Password, Gmail, Facebook, Twitter, Instagram, Evernote, and more.


Following the release of the report, iMore's Nick Arnott and Rene Ritchie have taken an in-depth look at the XARA weaknesses in a series of posts on the subject, explaining exactly what they do, how they work on iOS and OS X, and the steps that you can take to protect yourself.

The first post from iMore gives a quick overview of what XARA is, explaining that it's a group of exploits that use malicious apps to gain access to secure information by inserting themselves into the middle of a communications chain or sandbox.

OS X, not iOS, is primarily affected by XARA exploits, and the malicious apps are able to be distributed through the Mac App Store and the iOS Store. After being downloaded, an app using XARA exploits waits to intercept data. Ritchie explains how it works:

For OS X Keychains, it includes pre-registering or deleting and re-registering items. For WebSockets, it includes preemptively claiming a port. For Bundle IDs, it includes getting malicious sub-targets added to the access control lists (ACL) of legitimate apps.

For iOS, it includes hijacking the URL scheme of a legitimate app.

iMore's second in-depth XARA post, written by Nick Arnott, goes into even more detail on the XARA weaknesses and details how to determine if you've been affected. On OS X, checking for malicious keychain entries is possible by opening the Keychain Access app, clicking on an item in the list, choosing "Get Info" and looking at the "Access Control" tab to see which apps have access to the Keychain item.

As detailed by Arnott, the only XARA exploit that affects iOS devices is the one that involves URL scheme hijacking, detectable by paying careful attention to apps that open via URL scheme, as they may look slightly different than the real thing.

All that said, you can help protect yourself from URL scheme hijacking if you're paying attention: When URL schemes are called, the responding application gets called to the foreground. This means that even if a malicious app intercepts the URL scheme intended for another app, it will have to come to the foreground to respond. As such, an attacker will have to do a bit of work to pull of this sort of attack without being noticed by the user.

In one of the videos provided by the researchers, their malicious app attempts to impersonate Facebook. Similar to a phishing website that doesn't look quite like the real thing, the interface presented in the video as Facebook may give some users pause: The app presented isn't logged in to Facebook, and its UI is that of a web view, not the native app.

Apple's known about XARA for several months, and according to the researchers who shared the vulnerability with Apple, the company does appear to have tried to fix it several times without success. Avoiding the exploit is relatively simple, as Ritchie and Arnott point out. Avoiding malicious apps can be done by downloading software only from trusted developers and avoiding anything that seems suspicious.

For those interested in learning more about the XARA weaknesses, iMore's overview post on the exploit and the site's more in-depth post are well worth a read.

Update: Apple on Friday provided iMore with the following statement regarding the XARA exploits:

Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store," an Apple spokesperson told iMore. "We have additional fixes in progress and are working with the researchers to investigate the claims in their paper."

Tag: iMore

Popular Stories

iPhone 17 Plus Feature

iPhone 17 Lineup Specs Detail Display Upgrade and New High-End Model

Monday July 22, 2024 4:33 am PDT by
Key details about the overall specifications of the iPhone 17 lineup have been shared by the leaker known as "Ice Universe," clarifying several important aspects of next year's devices. Reports in recent months have converged in agreement that Apple will discontinue the "Plus" iPhone model in 2025 while introducing an all-new iPhone 17 "Slim" model as an even more high-end option sitting...
iPhone SE 4 Vertical Camera Feature

iPhone SE 4 Rumored to Use Same Rear Chassis as iPhone 16

Friday July 19, 2024 7:16 am PDT by
Apple will adopt the same rear chassis manufacturing process for the iPhone SE 4 that it is using for the upcoming standard iPhone 16, claims a new rumor coming out of China. According to the Weibo-based leaker "Fixed Focus Digital," the backplate manufacturing process for the iPhone SE 4 is "exactly the same" as the standard model in Apple's upcoming iPhone 16 lineup, which is expected to...
Apple TV Plus Feature 2 Magenta and Blue

Apple TV+ Curbs Costs After Expensive Projects Fail to Capture Viewers

Monday July 22, 2024 5:11 am PDT by
Apple is scaling back its Hollywood spending after investing over $20 billion in original programming with limited success, Bloomberg reports. This shift comes after the streaming service, which launched in 2019, struggled to capture a significant share of the market, accounting for only 0.2% of TV viewership in the U.S., compared to Netflix's 8%. Despite heavy investment, critical acclaim,...
iPhone 16 Pro Sizes Feature

iPhone 16 Series Is Just Two Months Away: Everything We Know

Monday July 15, 2024 4:44 am PDT by
Apple typically releases its new iPhone series around mid-September, which means we are about two months out from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design differences and new features to take into account. To bring ...
iPhone 17 Plus Feature Purple

These 5 Features Will Make the iPhone 17 the Biggest Update in Years

Monday July 22, 2024 4:02 pm PDT by
The upcoming iPhone 16 models that we're expecting to see in September are going to be quite similar to the iPhone 15 models, but rumors suggest that Apple is making big changes in 2025. We've been hearing hints of an all-new device in the iPhone lineup, and it may be the most expensive iPhone Apple has offered to date. New 'Slim' Design Rumors have taken to referring to the new iPhone 17...
iPhone SE 4 Thumb 1

iPhone SE 4 Rumored to Launch Early Next Year With OLED Display, 48MP Camera, and More

Monday July 22, 2024 7:22 am PDT by
The fourth-generation iPhone SE will offer a series of major upgrades over the current model, the leaker known as "Ice Universe" claims. The information was listed in a post on Weibo, which also detailed the specifications of the iPhone 17 lineup. As previously rumored, the fourth-generation iPhone SE is expected to feature Face ID and USB-C, marking a major upgrade from current and previous ...
bsod

Microsoft Blames European Commission for Major Worldwide Outage

Monday July 22, 2024 11:55 am PDT by
Last Friday, a major CrowdStrike outage impacted PCs running Microsoft Windows, causing worldwide issues affecting airlines, retailers, banks, hospitals, rail networks, and more. Computers were stuck in continuous recovery loops, rendering them unusable. The failure was caused by an update to the CrowdStrike Falcon antivirus software that auto-installed on Windows 10 PCs, but Mac and Linux...

Top Rated Comments

Shayanftw Avatar
119 months ago
By the time I enter my password on Chrome, my battery has run out
Score: 25 Votes (Like | Disagree)
Saucesome2000 Avatar
119 months ago
"Avoiding malicious apps can be done by downloading software only from trusted developers and avoiding anything that seems suspicious."

Isn't the point and advantage of the Mac App Store supposed to be that the developer's are vetted and trusted as are the apps? How exactly do we know who trusted developers are? Does Apple plan on having a blue checkmark system?

As an Apple fanboy, this should be their number one priority. Security is one of the top features of Apple products over the competition.
Score: 23 Votes (Like | Disagree)
sniffies Avatar
119 months ago
Never shopping at Zara again.
Score: 12 Votes (Like | Disagree)
KALLT Avatar
119 months ago
I think what troubles me more is the complete silence on Apple's part. This has the potential to be a very serious issue and yet you hear nothing about it from your manufacturer. There is a point where Apple really starts to piss me off with this behaviour. You can see that even the developers of AgileBits are pretty much helpless and can't do anything to fix the problem, while their customers expect a secure product. I wonder how other developers of security software look at this.
Score: 9 Votes (Like | Disagree)
Thunderhawks Avatar
119 months ago
I think what troubles me more is the complete silence on Apple's part.
What would you like them to do? Put an ad in the paper?
That kind of stuff needs to be resolved quietly BECAUSE there is no need to broadcast to the hackers.

Also, the people who keep saying that as a fact Apple has done nothing need to read the line where it says they tried (so far unsuccessfully)
Looks like it's not that easy as a poster saying: Just fix it. Flip a switch and we are done!
Score: 9 Votes (Like | Disagree)
Dargoth Avatar
119 months ago
Great. Yet another thing for people who know nothing about computers to freak out about. The number of people who put a little piece of tape on their webcams... I don't even...
Score: 7 Votes (Like | Disagree)