Apps with a hidden “dark side” could sneak past Apple’s approval process, according to researchers at Georgia Tech. The researchers proved this theory using a malicious app which was approved and downloaded via App Store in March this year.
So-called “Jekyll” apps can hide malicious behaviour which would fall foul of Apple’s review process, said the five-person team led by research scientist Tielei Wang. Wang’s team were able to publish an app via Apple’s App Store, then use it on iOS devices to perform malicious tasks such as taking photos, sending emails and SMS without the user’s consent and exploiting kernel vulnerabilities.
“Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process,” Wang’s team said. “The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.”
“We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.”
An Apple spokesperson said that patches since March 2013 had addressed some of the issues raised by Wang’s research.
“The idea of hiding vulnerabilities and later exploiting them is not easy to fix by Apple. It’s a fundamental issue for Apple. Most likely Apple can use better sandbox policies to refine what we can do. But 6.1.3 doesn’t fix them,” Tielei Wang said in an interview with The Guardian.
Wang’s team worked alongside the Georgia Tech researchers who created a prototype “malicious charger” which could infect iPhones with malware in under a minute.
“Apple utilizes a mandatory app review process to ensure that only approved apps can run on iOS devices, which allows users to feel safe when using any iOS app,” said Georgia Tech Associate Director Paul Royal. “However, we have discovered two weaknesses that allow circumvention of Apple’s security measures.”
“We were able to successfully publish a malicious app and use it to remotely launch attacks on a controlled group of devices,” said Wang. “Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps — all without the user’s knowledge.”
“These results are concerning and challenge previous assumptions of iOS device security,” said Royal. “However, we’re pleased that Apple has responded to some of these weaknesses and hope that they will address our other concerns in future updates.”
Author Rob Waugh, We Live Security