Previously, Tamir revealed a recent feature of Xcode 7 that allows developers to sign apps with certificates created via just an Apple ID, rather than the more thorough identification process used for App Store releases, or even enterprise certificate use. While an Apple ID is far easier to obtain, Apple does limit applications signed in this way, preventing them from accessing many services, but still potentially allowing it to access GPS data, address books, the calendar, and HealthKit, among other items.
Tamir has already shown off a proof-of-concept tool called Su-A-Cyder, which could be used to replace a genuine signed app on an iOS device, acting as if it is the genuine app while still providing the attacker access to that app’s data. The attack is limited to being installed when connected to a computer, so making it only suitable for where physical access to the target’s iPhone is possible, and the passcode is known. Notably, while the vulnerability is present in devices running versions of iOS predating version 8.3, Apple has since tightened up security so installing an app with a similar ID to another is not possible.
Despite Apple’s best efforts, Tamir has now revealed SandJacking, a similar technique to Su-A-Cyder, but works on the latest version of iOS. Tamir notes that, while Apple has secured the install process to prevent replacement of legitimate apps, the restore process is unprotected, which still allows an attacker with physical access to make a backup, and switch out the legitimate app for a malicious version during a restoration from the backup previously made.
The attack was demonstrated using Skype at the conference, but it has also apparently been tested using other major applications. It is however limited only to the sandbox for the replaced app, so multiple malicious apps would have to be created and switched to gain from more than one data source on the device. The victim is also said to be unlikely to notice the attack has taken place, unless they check the app’s certificate and see the device’s provisioning settings have changed from the legitimate source.
The attack is limited in both time, and access. The researcher suggests that repair depots, corporate IT workers, or similar service venues would have a device for a sufficient time to implement the attack. The attack is not remote, so it can’t be invoked by something like a compromised web page visit, maliciously crafted JPEG in an email, or similar vectors.
While Tamir has demonstrated the attack only recently, it was discovered in December and reported to Apple in January. Despite the length of time since the vulnerability’s discovery, Apple has yet to create a patch to plug the security hole. Tamir has created a SandJacker tool that can automate the attack, but intends to only release it after Apple publishes the patch.