XARA

For other uses, see Xara (disambiguation).

XARA (Cross-App Resource Access) is a class of vulnerabilities that allows malicious applications to gain unauthorized access to resources belonging to other applications running on the same operating system. First extensively documented in 2015 by researchers at Indiana University, Georgia Tech, and Peking University, XARA vulnerabilities represent significant security threats to modern sandboxed computing environments, particularly on macOS, iOS; similar inter-app vulnerabilities have also been identified on Android.

XARA attacks exploit weaknesses in inter-process communication mechanisms and access control policies, enabling attackers to bypass the principle of least privilege in sandboxed applications. Examples include unauthorized access to keychain items, URL scheme hijacking, WebSocket hijacking, and app container cracking. These vulnerabilities can lead to theft of authentication credentials and personal data without requiring privilege escalation or jailbreaking.

The 2015 XARA disclosure prompted security enhancements in major operating systems, such as stricter sandbox controls on macOS and iOS. However, new variants continue to emerge as application ecosystems become more complex and interconnected.

Initial Disclosure

An academic research paper entitled "Unauthorized Cross-App Resource Access on MAC OS X and iOS".^[1] was published on 26 May 2015 by a team of researchers from Indiana University, Tsinghua University, Peking University, Chinese Academy of Sciences, and Georgia Institute of Technology. The paper was widely released to the public on 16 June 2015^[2] and commented on by both mainstream and technical media outlets.^{[3][4][5][6][7]}

The paper identifies a number of separate categories of zero day threats to applications and stored passwords which can potentially be exploited by malware on iOS devices and OS X. The paper also discloses the existence of similar vulnerabilities on Android devices.

Response by Vendors

1. On 19 June 2015, Apple Computer responded to the press^[8] that they had implemented countermeasures to exclude malware containing the XARA exploit from their iOS App Store.

Attack Vectors

In XARA each attack vector violates the principles of a computer security sandbox.

1. Untrusted partners using shared resources such file system, keychain.
2. Inter-process communication without verification of partner.
3. Weak security policies of system installer allow other applications to be designated as shared resource bundles.

Known systems with problems

1. iOS from Apple Computer
2. OS X from Apple Computer
3. Android from Google

See also

• Targeted attacks
• Access Control
• Software-defined protection
• Sandbox (computer security)
• Vector (malware)