Solutions designed to make it easier for iOS app developers to quickly push out hotfixes and updates can be abused by malicious actors to bypass mechanisms set in place by Apple in an effort to maintain a secure application ecosystem, FireEye has warned.
Apple smartphones and tablets running the iOS operating system are considered more secure than mobile devices running Google’s Android partly because users can only install applications from the official App Store, which hosts apps that undergo strict security and integrity checks.
This process must also be followed when a new release or hotfix is rolled out, which can be inconvenient and frustrating for app developers, especially when a quick fix is needed for a serious bug.
In order to address this issue, the community has developed tools that allow developers to push out patches and updates without having to go through Apple’s standard process. FireEye’s mobile security researchers have analyzed some of these alternatives in an effort to determine the risks they introduce.
Up until now, there have been two main attack vectors that malicious actors could use to target iOS systems. One of them involves malware that is designed to work on jailbroken devices, which allow users to install applications from third-party websites, such as in the case of the iOS malware dubbed KeyRaider.
Another method, which can be used against non-jailbroken devices as well, involves application sideloading via enterprise certificates, as seen in attacks using the YiSpecter malware. Apple has updated the sideloading process in iOS 9 in an effort to boost app security.
FireEye has described several scenarios in which a malicious actor can exploit JSPatch to target non-jailbroken devices. In the first scenario, the attacker develops a harmless application with JSPatch embedded and submits it to the Apple App Store. Once it passes Apple’s inspection, the app is made available on the App Store and downloaded by users.
A malicious hacker can use this technique against applications using JSPatch to access sensitive information, including media files and the content of the pasteboard, change system properties, and load arbitrary public frameworks into the app process.