Hacker News new | ask | show | jobs
by bengotow 2174 days ago
Wait, so you can just duplicate an app that has more privileges than your app, modify it, and run it to exploit it's access?

This is a pretty glaring security issue actually - after reading this, it seems like Apple's choice to track app permissions / security exceptions by the app's bundle ID and not its file path was a pretty big mistake.

I wonder if this is a case of iOS security engineers working on macOS, forgetting that app bundle IDs aren't enforced by a central install flow on the platform?
1 comments
saagarjha 2174 days ago
File path is wrong, too. What should be checked is the bundle’s code signature.
link
_qulr 2174 days ago
It does check the code signature. However, it's not a "deep check". The problem with doing a deep check, including all of the apps Resources, is that this can be very resource intensive, depending on the app. It's the reason why Xcode takes forever to "verify" on first launch. If there was a deep code signature check on every TCC check, you would see a lot of very long pauses.
link
_qulr 2174 days ago
You can guarantee that the system apps haven't been tampered with, at their system file paths, because of System Integrity Protection. But all bets are off if you make a copy of a system app elsewhere on the disk.
link
saagarjha 2174 days ago
Right, I meant “deep code signature” rather than “executable code signature”, thanks for the correction. I think macOS has a thing where it only checks the former the first time you launch an app and not after that, so you can scribble all over the resources and the system won’t care. Presumably this was thought to not be a big deal, but you showed a pretty good example of how you could launch a data-only attack on the privileges associated with the program :)
link
GordonS 2174 days ago
But surely they can do better than this? This really is a bad flaw.

At the least, couldn't they maintain a cache of verified signatures, based on the hash of the file? Then on subsequent loads, they could just hash the file and see if the hash was cached. Not as safe as checking on each load, mind, but surely a bug improvement over checking it once and blindly assuming no changes!

I mean, if this was Windows it would be absolutely huge - they'd be ridiculed in infosec and HN circles alike, and IT teams across the globe would be nervously scrambling to get the patch applied before they got pwned.

It seems like Apple is getting off too lightly here, IMO.

link