Apple’s strict app review process has safeguarded the App Store from malware, but a new paper from researchers at the Georgia Institute of Technology show that it’s possible to remotely execute hidden malicious code included in apps downloaded through the App Store.
The researchers call these “Jekyll” apps, which are similar to trojan programs, in that the “hacker” has control over both the app as well as the server it is connecting to. The exploit is fairly complicated, but the simplified flow of events is:
- The attackers develop an iOS app with a server side component, which they control.
- In addition to the normal code, the attackers also include malicious code, which make (undetectable) calls to private iOS APIs to gain access to sensitive personal information, which could then be uploaded to their servers.
- While a normal app that includes such malicious code would get rejected in Apple’s review process, the attackers use a sophisticated technique to prevent such code from ever running during the normal course of execution of the app.
- The app passes Apple’s review process and goes live on the App Store without ringing any alarms.
- Now the app exploits a stack overflow (triggered by a response from the server) to change the execution sequence of instructions, so that the control reaches the hidden malicious code, and it gets executed.
The researches demoed malicious code that could automatically send tweets, record videos without user consent, dial any number and so on.
The above explanation is a very simplified version of what actually goes, so if you’re interested in the details you can read the research paper (PDF link) published by the researchers.
In the paper, the researchers say that it would be very hard for Apple to effectively thwart such “Jekyll” apps on the App Store:
We argue that the task of making all apps in App Store vulnerability-free is not only theo- retically and practically difficult, but also quite infeasible to Apple from an economic perspective because such at- tempts will significantly complicate the review tasks, and therefore, prolong the app review and approval process that is already deemed low in throughput by third-party app developers.
Apple, on its part, says that it has made some modifications to iOS 7 which prevent the exploit from working. Its tight control over the App Store helps, too — the company can at any time pull offending apps and suspend developer accounts of those found guilty of exploiting these techniques. iOS, of course, still remains very secure with defensive measures like ASLR, sandboxing, and even these apps are ultimately limited by the fact that they don’t have root access to the OS and can’t run arbitrary, unsigned code.
Back in 2011, noted iOS hacker Charlie Miller had managed to exploit a flaw in iOS’ code signing mechanism, which allowed him to run arbitrary code sent from a server on an iPhone via an approved app on the App Store. More recently, Apple fixed a malicious charger hack, again discovered by researchers at the Georgia Institute of Technology, in iOS 7.
It remains to be seen how Apple responds to this new threat.
[Via MIT Technology Review]