Researchers at the Georgia Institute of Technology have found a foolproof way to bypass Apple’s mandatory app review and code signing mechanisms to sneak a malicious app into the iOS ecosystem.
The researchers — Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee — created what initially appears to be a harmless app that easily gained Apple’s approval for entry into the iOS app store. Once the app is loaded in the App Store, it can then be tweaked remotely and instructed to do malicious things on the iOS device.
The trick, disclosed at this year’s USENIX Conference, is to make apps remotely exploitable and later introduce “malicious control flows by rearranging signed code.”
Because Apple does not review new control flows during the app verification process, the malicious nature of an app can stay undetected to bypass the company’s heralded security mechanisms.
The researchers showcased a proof-of-concept app, called Jekyll, that was approved for publication in the iOS app store. Once inside the Apple kingdom, the group remotely launched the attacks on devices that installed the app.
“The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities,” the researchers explained.
All these malicious tasks can be done even with the app running inside the iOS sandbox.
The researchers note that the evasion trickery does not violate any rules imposed by Apple.
“Such a seemingly benign app can pass the app review because it neither violates any rules imposed by Apple nor contains functional malice. However, when a victim downloads and runs the app, attackers can remotely exploit the planted vulnerabilities and in turn assemble the gadgets to accomplish various malicious tasks,” the group explained.
In the paper, the researchers also disclosed the discovery of private APIs in iOS that can be abused to send email and SMS and post Twitter messages without the user’s consent.
