To conduct their research, the authors of the report uploaded malware to Apple’s App Store. In the process, they did not trigger alerts signifying that their app could steal passwords for services, including Mail and iCloud.
“Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps,” the authors wrote in their report.
Xing says that his team reported the flaws to Apple in October 2014. Afterward, he complied with the company’s request to withhold the release of his report for six months, according to The Register. Thus far, Apple has not been immediately available for comment. However, the research team suspects that the security flaws are still present.
“We built end-to-end attacks on several high-impact apps (e.g., Facebook, Pinterest, etc.), identified the impacts of the threat over a thousand apps, and more importantly demonstrate that the attacks can be made stealthy (through different man-in-the-middle tricks on MAC OS and iOS, passing the stolen token to the victim app, to completely conceal the attack), which is nontrivial,” the report continues.
Thus far, much of the researchers’ work has been focused on Android security. This is one of the first reports that has been based on Apple’s security vulnerabilities. Xing and his team say that most of the problems stem from Apple’s cross-app resource sharing and communication methods.
Researchers concluded that approximately 90 percent of Mac and iOS apps were “completely exposed,” giving malware full access to sensitive data.