It's the easiest thing in the world to write a headline that tells you to panic; it's much harder to write one that says something is very wrong, but the odds of it occurring are very low and getting lower. Last week's release of a research paper that showed exploits that were possible in App Store-approved software in iOS and OS via intra-application shared resources was significant. However, most of the media covering it (including us) got the nuance right.
The App Store wasn't compromised, nor is there a way for Internet-distributed malware to make good use of these flaws. Rather, through lengthy work that included consultation with software makers and Apple, it seems that the exploits were grossly mitigated before the paper was released. Finer steps to root out the spots that can be vectors for attack will clearly come.
It's also nice to hear Apple respond quickly and forcefully to a potentially significant security hole. The paper was released on Wednesday, and Apple confirmed that it had made server-side changes and was working with researchers on additional issues.
What should you be concerned with as an app buyer?
Which flaws and which apps
To recap: researchers found four categories of severe flaws, three of which affect only apps in the Mac App Store, and a fourth can be used by malware in the Mac or iOS App Store. An attacker has to develop and get an app approved by Apple, then convince people to obtain it for any of the exploits to be used.
While iOS users have zero choice about where they get apps, Mac users can pick from the App Store or any source. Based on best-selling lists and the abdication from or disinterest in the Mac App Store by some leading developers, most apps downloaded are from Apple or a handful of well-known companies. For a malicious developer to even get to users will require a lot of stars to be in alignment. The high bar makes it unlikely for criminals to try; governments might if they had particular targets in mind and could mask their intent.
The four flaws relate to snooping on keychain password entries, reading app-specific data storage that should be restricted to the app via user-approved conduits (like Evernote), intercepting browser-to-app communication, and--for both iOS and OS X--URL schemas that could contain access tokens being hijacked.
Because all the exploits require submission and approval of an app, Apple should have been able to change its screening process as long ago as October, after the researchers tested submitting apps with malicious inter-application components and having them approved. (The paper's authors removed these apps immediately after approval.)
Sign up for MIS Asia eNewsletters.