Apple's Zero-Day Security Flaws on iOS, OS X Let Hackers Steal User Passwords
In an unusual way to demonstrate how unsafe the Apple Store's application sandbox is for protecting iOS operating systems, a password stealing app was approved and uploaded to the Mac App Store. This breaking story shows how researchers were able to include an app that will "create apps that pilfer iCloud, Gmail, and banking passwords and can also siphon data from 1Password, Evernote, and other apps."
Mac machines have been relatively safe from malware until this cross-app resource called XARA, accessed or rather, attacked application in the Apple Store. It certainly raises troubling doubts about Apple's assurances on the widely used Apple platforms. This makes you think about your security on the Cloud and desktop.
This hack is an example of zero-day exploit. The vulnerability was discovered six months ago by the researchers. Apple officials asked them to wait before exposing the flaw in Apple's coding. Apparently, Apple didn't contacted them again, so the researchers released the story in May 2015. You can find a copy of the research paper here.
How this Apple exploit happened
A team of researchers from Indiana University, Peking University, and Georgia Institute of Technology, created a malware app and uploaded it to the App Store. It steals passwords from installed apps, email clients, and Google's Chrome web browser, including breaking app sandboxes and cracking Apple's password storing keychain. The team wanted to show Apple a flaw in their environment. Exploiting this flaw, hackers can bypass the App Store security check using this hacking app. [Source ]
Although Apple officials released a patch right away, this shows hacking the Apple Store is easier than many of us think. Interestingly, this Apple's security topic coincides with a common discussion thread we had with our Techstars' mentors during a gruesome mentor madness week. A few mentors brought up the point that since Apple is a big and well-known company, therefore the security level at the AppStore and its published apps should be bullet-proof. The answer is yes and no. The AppStore is more consumer focused, and the security is more on the consumer-level. Apple expects that if you need high levels security, as required by a particular industry, you will need to do the extra work and add other layers of security into your mobile application and its backend.
When it comes to security cards, you can't put all security bet on one hand. In this case, relying on security mechanisms provided by the platform (Apple's operating system) alone is not enough. For this precise reason, we have done it differently. When we designed SeaCat, our flagship security technology for mobile app and mobile backend, we added another layer of security by implementing a separate keychain, without depending on the one included in Apple iOS. SeaCat contains a system-independent SSL/TLS stack with the most recent TLS setup, regardless of mobile device vendors. This helps protect against vulnerabilities found in platforms as seen in this fiasco. Of course, our solution offers a wide-range of best practices and benefits. To learn more, please check out SeaCat's full product features and benefits.
Security is a tricky thing. It needs to be inspected from all levels: system, network, app, device, and user. And it needs to be considered and planned from the beginning of the development.
Because there is always going to be someone, amateur or professional who can hack through the code if they try hard enough.
If you want know more about information security concerning enterprise mobility solutions, we'd love to connect with you. Send us an email at info@teskalabs.com or tweet to us @TeskaLabs.
You Might Be Interested in Reading These Articles

5 Cyber Threats eCommerce Websites Should Watch Out For
There are innumerable advantages to eCommerce. Businesses can make sales outside of business hours; they can reach customers over their own personal social media pages, and take advantage of people being more inclined to spend while they’re on the couch with a glass of wine rather than harassed in the changing room of a crowded store. However, with all of these advantages, there are also some inherent threats that could annihilate a business’ reputation.
Published on May 02, 2017

Look Who's Talking! Privacy and Security Concerns Over The New Hi-tech Barbie
Our Business Development Manager, Pavel Enderle, had an interview with CT24 TV, a Czech television channel, to discuss cloud security regarding the new Barbie product, Hello Barbie. This Barbie can talk to children by using ToyTalk’s system to analyze the child’s speech and produce relevant responses.
Published on June 09, 2015

How TeskaLabs Helps You Operate SCADA Systems Securely and Comply with Security Laws
Cyberspace does not have boundaries. The internet is a truly international community, and it takes just milliseconds to reach a data source on a whole different continent. The internet is therefore an open arena for cyberattacks from across the world, where anyone can try to break their way into someone else’s data. We can see this daily in the news or on the specialized ICT news servers- the attacks never stop.
Published on June 06, 2017