Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS

Apple uses several access control mechanisms to prevent third party applications from directly accessing security sensitive resources, including sandboxing and file access control. However, third party applications may also indirectly access these resources using inter-process communication (IPC) with system daemons. If these daemons fail to properly enforce access control on IPC, confused deputy vulnerabilities may result. Identifying such vulnerabilities begins with an enumeration of all IPC services accessible to third party applications. However, the IPC interfaces and their corresponding access control policies are unknown and must be reverse engineered at a large scale. In this paper, we present the Kobold framework to study NSXPC-based system services using a combination of static and dynamic analysis. Using Kobold, we discovered multiple NSXPC services with confused deputy vulnerabilities and daemon crashes. Our findings include the ability to activate the microphone, disable access to all websites, and leak private data stored in iOS File Providers.