Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

iOS App Patching Tool “Rollout” Prone to Abuse

Researchers at security firm FireEye have analyzed another hot-patching solution for iOS applications that could be abused by malicious actors to turn harmless apps into malware.

Researchers at security firm FireEye have analyzed another hot-patching solution for iOS applications that could be abused by malicious actors to turn harmless apps into malware.

Updates and hotfixes created by iOS application developers for software available in the Apple App Store have to go through a strict security and integrity verification process. Since this can be problematic, especially when fixes need to be pushed out quickly, some companies and independent developers have created tools that make it possible to release updates directly to users.

While these solutions can be useful as they allow developers to easily roll out fixes by adding a few lines of code to their applications, FireEye has warned that they can also be abused by threat actors to push malicious code to apps after they pass Apple’s inspection.

In January, the security firm analyzed JSPatch, an open source hot-patching tool built on top of Apple’s JavaScriptCore framework. JSPatch has been found in more than 1,200 apps available in the App Store.

FireEye on Monday published the results of research targeting a similar solution, namely Rollout.io.

Rollout is a commercial tool that allows developers to easily debug and hot-patch their products by giving them remote code-level access to the live app. Using technologies and techniques such as debug symbol (dSYM) files, the JavaScriptCore framework, and method swizzling, Rollout enables developers to carry out a wide range of modifications.

Researchers reported identifying the use of Rollout in 245 apps found in the App Store (as of January 19), and the developer says its solution is currently running on 35 million devices. Unlike JSPatch, which is mainly used by Chinese developers, Rollout’s customer base is international and predominantly English-speaking.

FireEye has published a blog post detailing how attackers can use Rollout and Apple’s private APIs to access a device’s camera and microphone, scan a phone to determine if a certain application is installed, make calls to premium numbers, and take screenshots. There are two scenarios for an attack involving Rollout: the app developer is malicious, or an unwitting developer integrates a malicious third-party ad SDK into a legitimate app.

Advertisement. Scroll to continue reading.

Experts have described a theoretical attack scenario in which an apparently harmless iOS app is utilized to conduct malicious activities, but noted that such attacks have not been spotted in the wild.

FireEye informed Rollout of its findings and the vendor is preparing a new version of its product that will prevent developers from accessing private iOS APIs and frameworks. Since the attack examples described by researchers involve these types of components, restricting their use can prevent abuse.

“Rollout’s solution allows mobile companies to mitigate production quality and performance issues, Rollout.io is already running on 35 million devices and has proven invaluable for preventing app downtime, increasing app rating and improving user experience,” Erez Rusovsky, CEO & co-founder of Rollout, told SecurityWeek.

“As written in FireEye report, there are many ways developers can exploit Objective-C Runtime and bypass App Store review process with the intent of using Apple’s private APIs (w/o Rollout.io). Nonetheless Rollout is fully committed to preventing abuse of our technology and we are currently updating our systems to reject usage of Apple’s private APIs,” Rusovsky added. “We thank Jing Xie and the rest of the FireEye team for their help in this matter.”

RelatedEstablishing Correspondence Between an Application and its Source Code

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.