Apple can also rescreen all apps in the App Store for specifics sorts of uses mentioned in the paper and build it into future approvals. The keychain flaw, in which malware can essentially add itself as a legitimate party to read entries for other apps, should be something Apple can check apps for directly, but also obviously requires some system reengineering.
The statement from the company on Friday said that it has already made one fix: Apple "implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store." That's related to the second flaw I noted above, labeled "container cracking," in which an app's private data can be stolen by a subsystem that registers itself as if it were an already accepted extension.
The URL schema issue is straightforward, in that apps have to include these in a form that can be handed off to the OS. Apple can parse and test for this on both platforms. While apps can't control where a schema redirects--a Facebook authorization request in Pinterest doesn't know whether Facebook or malware has registered the Facebook app's schema--but it can determine where a redirect came from. Developers can put in tests around this to prevent hanky-panky, although Apple may make changes in both OSes that obviate this need.
Researchers found some apps are already resistant to one or more exploits because of particular choices, and these could be turned into best practices or even requirements.
Others respond with advice and tools
AgileBits, makers of 1Password, were called out in the paper specifically, not because they made mistakes, but rather due to their browser plug-in integration, which is extremely useful. Researchers found they could hijack an Internet socket allowed under App Store guidelines and read passwords and other data when a user invoked 1Password to fill in values on a given website.
In a detailed blog post, AgileBits explained the limited circumstances in which this flaw could be exploited, and provided a few concrete ways to avoid it. Specifically, the company says to check "Always Keep 1Password Mini Running" in Preferences > General in its OS X app.
And on Monday, Facebook's security team released an update to a developer tool called osquery that's designed for monitoring OS X and Linux to add a way to check for modifications that relate to three of the exploits; socket-based communication isn't included. The tool is free and part of Facebook's community giveback, in that it profits not a bit (except in positive attention) from making it available. In a blog post, one of the security team's engineers explains how an organization could make use of osquery to monitor continuously for telltale changes and alert an administrator.
Sign up for MIS Asia eNewsletters.