This method also allows what was once called sidejacking: stealing tokens used to identify a user's browser during a session with a site, and then using that token elsewhere.
Scheme hijacking. A scheme is a way to identify a kind of Internet or other resource and pass some information to it in the form of a URL. For instance, the generic web scheme is "http" (as in http://); all iOS and OS X apps register schemes with the system to allow other apps to pass data or to open a "deep link" within the app.
However, Apple doesn't require unique schemes the way it does unique Bundle IDs. Any app can register any scheme with validation except for a handful of Apple-specific ones. There's also no way for an app to determine that it's passing a URL to the right app--it has to rely on the operating system.
The paper's authors found:
For a scheme not on the lists, it will be bound to the first app that registers it on OS X and the last on iOS.
The researchers were able to grab tokens bound for other apps in OS X, where this method is used infrequently, and iOS, where it's extremely common, and then sidejack sessions. One proof-of-concept they note was hijacking Facebook's scheme so that the Pinterest app requested a token, and the Facebook response with the Pinterest app's access token was then grabbed by the authors' malware.
App developers could determine that the wrong app had redirected a response back--the Pinterest app would know something went wrong--but that wouldn't stop the outbound hijacking that grabbed the token in the first.
Verify, then trust
The authors performed a variety of tests to determine how likely apps were to be vulnerable to these exploits and pulled down 1,612 free apps, representing up to the top 100 free apps in each major category. Of 198 that use the system keychain and should be susceptible, 18 out of 20 that they randomly selected they proved could be exploited. (Two Google apps are immune.)
For the scheme vulnerability, 982 Mac apps had the potential for this issue based on a code scan, and of 200 randomly selected for deeper analysis, 132 were found vulnerable.
Wang of Indiana University said that there's clearly more to be found in iOS, as their research remains some of the only to deeply examine cross-app issues. "If I were a hijacker, I'm just going to move my target to iOS," he said.
The short-term fix for these exploits is a combination of new recommendations and requirements to app developers, and additional procedures in the App Store review. "What the App Store can do is run something similar at least to identify--not malicious apps, but at least those vulnerable as targets," Wang said.
Sign up for CIO Asia eNewsletters.