Mobile // Mobile Devices
News
8/16/2013
04:16 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Apple iOS Security Defeated By Sneaky App

After slipping a malicious app past Apple's App Store reviewers, security researchers say Apple should strengthen its defenses.

10 Hidden iPhone Tips, Tricks
10 Hidden iPhone Tips, Tricks
(click image for larger view)
Five computer security researchers from the Georgia Institute of Technology have demonstrated that they can create malicious apps that can avoid detection by Apple's app review process.

In "Jekyll on iOS: When Benign Apps Become Evil", a paper presented at the Usenix Security '13 conference, Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee describe how they were able to create apps that can be exploited remotely through program paths that did not exist during the app review process. The researchers call these "Jekyll apps," because they conceal their malicious side.

Apple takes justifiable pride in its iOS security regime. Though the company's scrutiny of third-party apps often forces developers to do extra work to satisfy its rules, its oversight has keep malware at bay more effectively than the efforts by the company's competitors. A 2011 research paper, "A Survey of Mobile Malware in the Wild", identified all known Android, iOS, and Symbian malware that spread between January 2009 and June 2011. Of the 46 instances of mobile malware during this period, only 4 affected iOS, compared to 24 for Symbian, and 18 for Android.

[ Read Microsoft Slams Google Over YouTube App Ban. ]

Nonetheless, iOS, like any operating system, has flaws that can be identified and exploited. While Apple tends to address such flaws quickly once it becomes aware of them, it can't fix problems that it can't identify. Wang and his colleagues show that exploitation can be accomplished without a specific vulnerability, by concealing malicious attack logic.

"Jekyll apps do not hinge on specific implementation flaws in iOS," the paper explains. "They present an incomplete view of their logic (i.e., control flows) to app reviewers, and obtain the signatures on the code gadgets that remote attackers can freely assemble at runtime by exploiting the planted vulnerabilities to carry out new (malicious) logic."

Assembling malicious logic at runtime avoids detection by reviewers and by automated methods of static analysis, a way to analyze program code without actually executing the instructions.

To prove that point, the researchers managed to submit a malicious "Jekyll" app, to have it approved by Apple and to download it, before voluntarily removing it from the iTunes App Store.

The construction of "Jekyll apps" may be more elaborate than necessary to sneak code that violates Apple's rules past app reviewers. Last year, for instance, the iOS app iRandomizer Numbers was found to have an undocumented tethering feature that violated Apple's review guidelines. The app was pulled from the iTunes App Store and AT&T's mobile business did not collapse as a result of unexpected network data traffic. But the incident demonstrates that Apple does not catch every app with undocumented features.

Asked whether it might not be easier just to create an app that acted maliciously for a single, targeted victim or after several months of use, Wang in an email responded he and his colleagues are assuming that Apple has complete insight into unexecuted branches of code that lead to malicious behavior when certain conditions are met.

The paper argues that it is theoretically difficult and economically prohibitive for Apple to keep its App Store free of vulnerabilities. Nevertheless, it does offer a few suggestions about how to mitigate the risk of "Jekyll" apps through runtime security monitoring mechanisms.

The researchers propose a stricter execution environment, along the lines of the way Google limits Native Client code, even as they express doubts about the ease with which Apple could accomplish this, due to the tightly coupled nature of public and private frameworks in iOS. They also advocate for more finely-grained use of security techniques like address space layout randomization (ASLR), permission models and control-flow integrity (CFI). Finally, they suggest that Apple adopt a type-safe programming language like Java to protect against low-level memory errors such as buffer overflows.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
melgross
50%
50%
melgross,
User Rank: Ninja
8/17/2013 | 5:50:32 PM
re: Apple iOS Security Defeated By Sneaky App
Apple has stated that they've already fixed the loophole.
SamsDroid
50%
50%
SamsDroid,
User Rank: Apprentice
8/17/2013 | 7:26:49 PM
re: Apple iOS Security Defeated By Sneaky App
iOS sucks. This would never happen on Android.
SamsDroid
50%
50%
SamsDroid,
User Rank: Apprentice
8/17/2013 | 7:27:28 PM
re: Apple iOS Security Defeated By Sneaky App
Android fixes it before it happens.... That's the difference.
John K Sellers
50%
50%
John K Sellers,
User Rank: Apprentice
8/19/2013 | 1:23:49 AM
re: Apple iOS Security Defeated By Sneaky App
It cuts the other way too. A couple of years ago, the Apple Store removed a children's programming App called Scratch that was written in Squeak Smalltalk.

It was a wonderful App and should definitely be in the Apple Store.

This especially true since Apple has a long history with its roots close to Smalltalk. One of their first computers had an Object Oriented OS that drew heavily on the Smalltalk paradigm.

Over 40 years ago "Alan Kay invented the idea of a lightweight tablet computer using Smalltalk." We would all be better off if that had succeeded.

I think that it is fine to have tablets like the iPad, but because of security concerns, the iPad throws "out the baby with the dishwater". It loses a lot of its potential by being so exclusive. But that is what happens when one is more interested in profits than real progress as almost all companies are.

With exactly the right kind of work, it would take more to do the job than any company has been willing to do, but the company that comes along and actually does the real job would leave all the pervasive pretenders in the dust in terms of making real progress AND money.
mstanislav
50%
50%
mstanislav,
User Rank: Apprentice
8/20/2013 | 3:38:19 PM
re: Apple iOS Security Defeated By Sneaky App
App stores are going to continually up their level of interrogation to stay ahead of malware. In a similar way that PC users are still fighting malware, mobile platforms also have to make certain assumptions to detect malware-laden apps before they get to a consumer. While still an uphill battle, the control that Apple and Google have over the actual app stores (to varying degrees, of course) allows for a fighting chance, at least. There's a minimum set of hurdles that an attacker has to jump over in order to have an app pass through their direct stores.

This research has some commonalities to the work Jon Oberheide and Charlie Miller did last year regarding Android's Bouncer (https://blog.duosecurity.com/2.... In that research they determined how Google was flagging a "bad app" and were able to circumvent that process by hiding the malware functionality when tested by Bouncer but not on a real device that would actually matter to an attacker. Overall, both pieces of research have huge implications for strengthening the security programs at Google and Apple.
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.