iOS and Android weaknesses allow stealthy pilfering of website credentials
Scientists call on Apple and Google to mitigate "origin crossing" attacks.
Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission....
. . .
"Our research shows that in the absence of such protection, the mobile channels can be easily abused to gain unauthorized access to a user's sensitive resources," the researchers—who besides Wang, included Rui Wang and Shuo Chen of Microsoft and Luyi Xing of Indiana University—wrote. "We found five cross-origin issues in popular [software development kits] and high-profile apps such as Facebook and Dropbox, which can be exploited to steal their users' authentication credentials and other confidential information such as 'text' input. Moreover, without the OS support for origin-based protection, not only is app development shown to be prone to such cross-origin flaws, but the developer may also have trouble fixing the flaws even after they are discovered."(Bolding above mine).
From my POV, it has been known for years that using iOS meant a restriction on user-added security. Therefore, for example, you are being tracked over the Internet using most iOS web browsers. Whereas, I have total control over Tracking Cookies on my Macs. This means, your privacy as well as security is being compromised whenever you're on iOS, as opposed to the added security measures possible on OS X.
But what's discussed in the article goes to a much deeper point where even the iOS SDK, via Xcode, is instantiating these security flaws into developer applications. That's very bad and means this problem is not going to be solved simply by an iOS update. Xcode has got to be upgraded, then all the applications that have instantiated the security flaw code will have to be recompiled and redistributed in updates.
As ever, I'm grateful to researchers who uncover these problem. This isn't another memory management mess. It's something new to me and required a couple readings to understand. I expect we'll be hearing more about this problem as developers sort out whether their apps are vulnerable or not.
~ ~ ~ ~ ~
[Ars trolls postscript: Lately I've been extremely displeased with what I call 'ars trolls' and unprofessional writers at Ars Technica. You can read my recent documentation of their shameful behavior HERE. However, I have consistently found Dan Goodin and the other computer security writers at Ars Technica to be excellent. I continue to recommend their work.]