3

I was just reading through some source code for an iOS application and I'm curious about the security of the same. It seems that the access group of an application can be specified in the entitlements it was built with. However, if a user unknowingly installs malware which tries to be part of a particular group and read the data stored in the storage, isn't it a security issue?

Is the Apple Application Screening process the only thing that stops the above attack? Or is there some permission management concept that im missing out? Thanks!

2 Answers2

3

No, this is not a security risk. Provisioning profiles determine which access groups apps are allowed to claim access to, and provisioning profiles must be signed by Apple in order to function. Apple will only let you claim access to access groups created by other apps in your developer account.

The other answerer is mistaken; he/she links to a tool which is only for jailbroken devices and must be run as root, bypassing the standard iOS security mechanisms which apply to most devices.

AriX
  • 1,647
  • 2
  • 18
  • 24
1

Yes, it's a security hole. For example, this tool can dump all the sensitive info in the keychain, including Wi-Fi and mail/facebook/any passwords off of your device.

  • From a developers perspective, is there any way to prevent this? Also, would this issue exist even if the app does not share info with the group? Thanks! –  Aug 13 '12 at 05:38
  • 1
    @H2CO3 Not exactly related but can you answer [this](http://stackoverflow.com/questions/11793271/keychain-group-access-to-share-data-between-my-existing-applications) question ? In brief is there a way I can change bundle seed id of my already released applications OR can some how specify bundle seed ids of all my apps in entitlement to share data in keychain ? – msk Aug 13 '12 at 05:46
  • 3
    It's only a security hole if the app can read the file. By default, the keychain database is not world-readable. You have to jailbreak your phone to gain access to the database. – Aidan Steele Oct 19 '12 at 00:52