Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Researcher reveals 'SandJacking' attack for accessing iOS app data

Researcher reveals 'SandJacking' attack for accessing iOS app data
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
May 27, 2016, 02:39 PM
A security researcher has discovered a new way to attack iOS devices, one that could install malicious apps on a device, even if it hasn't been jailbroken by the user. Called SandJacking, Mi3 Security's Chilik Tamir demonstrated the attack at the Hack In The Box conference earlier this week, with an attacker with physical device access, and some time, to be able to replace a legitimate app with a malicious version. The substitution in turn can provide the attacker with access to stored user data associated within the replaced app.

Apps running on non-jailbroken iOS devices distributed through the App Store require the developer to sign the app with a certificate, one that can only be granted via a certain process, with apps also reviewed by Apple and installations validated on the device itself. SecurityWeek reports that, despite these barriers, Tamir has still found ways to get around the security.

Previously, Tamir revealed a recent feature of Xcode 7 that allows developers to sign apps with certificates created via just an Apple ID, rather than the more thorough identification process used for App Store releases, or even enterprise certificate use. While an Apple ID is far easier to obtain, Apple does limit applications signed in this way, preventing them from accessing many services, but still potentially allowing it to access GPS data, address books, the calendar, and HealthKit, among other items.

Tamir has already shown off a proof-of-concept tool called Su-A-Cyder, which could be used to replace a genuine signed app on an iOS device, acting as if it is the genuine app while still providing the attacker access to that app's data. The attack is limited to being installed when connected to a computer, so making it only suitable for where physical access to the target's iPhone is possible, and the passcode is known. Notably, while the vulnerability is present in devices running versions of iOS predating version 8.3, Apple has since tightened up security so installing an app with a similar ID to another is not possible.

Despite Apple's best efforts, Tamir has now revealed SandJacking, a similar technique to Su-A-Cyder, but works on the latest version of iOS. Tamir notes that, while Apple has secured the install process to prevent replacement of legitimate apps, the restore process is unprotected, which still allows an attacker with physical access to make a backup, and switch out the legitimate app for a malicious version during a restoration from the backup previously made.

The attack was demonstrated using Skype at the conference, but it has also apparently been tested using other major applications. It is however limited only to the sandbox for the replaced app, so multiple malicious apps would have to be created and switched to gain from more than one data source on the device. The victim is also said to be unlikely to notice the attack has taken place, unless they check the app's certificate and see the device's provisioning settings have changed from the legitimate source.

The attack is limited in both time, and access. The researcher suggests that repair depots, corporate IT workers, or similar service venues would have a device for a sufficient time to implement the attack. The attack is not remote, so it can't be invoked by something like a compromised web page visit, maliciously crafted JPEG in an email, or similar vectors.

While Tamir has demonstrated the attack only recently, it was discovered in December and reported to Apple in January. Despite the length of time since the vulnerability's discovery, Apple has yet to create a patch to plug the security hole. Tamir has created a SandJacker tool that can automate the attack, but intends to only release it after Apple publishes the patch.
Grizzled Veteran
Join Date: Jul 2006
Location: Seattle
Status: Offline
Reply With Quote
May 28, 2016, 08:29 AM
Quote: "Tamir has created a SandJacker tool that can automate the attack, but intends to only release it after Apple publishes the patch." Oh great, that means that he'll only be helping hackers who attack iPhones whose users, for various reasons, can't upgrade to the patched version. Why does he even release a tool that can only be used for evil?
Author of Untangling Tolkien and Chesterton on War and Peace
Fresh-Faced Recruit
Join Date: Nov 2005
Status: Offline
Reply With Quote
May 29, 2016, 09:24 AM
Who the hell has this much time on their hands to come up with something like this?

What a loser. Ill be he's single and has no friends
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status: Offline
Reply With Quote
May 29, 2016, 11:46 AM
At least he's waiting until Apple patches the vulnerability instead of selling it to the FBI for $1M. Apple has been known to patch older versions of software for hardware that can't be upgraded but I have to wonder why people won't update iOS to the latest version as long as their hardware can handle it. Lazy? Just don't know how to update? I did talk to a person who's never synced their iPhone to their laptop or iCloud. I'm hoping our little discussion will persuade them to do so.
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Privacy Policy
All times are GMT -4. The time now is 10:32 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,