Researchers at the Georgia Institute of Technology have found a foolproof way to bypass Apple’s mandatory app review and code signing mechanisms to sneak a malicious app into the iOS ecosystem.
The researchers — Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee — created what initially appears to be a harmless app that easily gained Apple’s approval for entry into the iOS app store. Once the app is loaded in the App Store, it can then be tweaked remotely and instructed to do malicious things on the iOS device.
The trick, disclosed at this year’s USENIX Conference, is to make apps remotely exploitable and later introduce “malicious control flows by rearranging signed code.”
Because Apple does not review new control flows during the app verification process, the malicious nature of an app can stay undetected to bypass the company’s heralded security mechanisms.
The researchers showcased a proof-of-concept app, called Jekyll, that was approved for publication in the iOS app store. Once inside the Apple kingdom, the group remotely launched the attacks on devices that installed the app.
“The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities,” the researchers explained.
All these malicious tasks can be done even with the app running inside the iOS sandbox.
The researchers note that the evasion trickery does not violate any rules imposed by Apple.
“Such a seemingly benign app can pass the app review because it neither violates any rules imposed by Apple nor contains functional malice. However, when a victim downloads and runs the app, attackers can remotely exploit the planted vulnerabilities and in turn assemble the gadgets to accomplish various malicious tasks,” the group explained.
In the paper, the researchers also disclosed the discovery of private APIs in iOS that can be abused to send email and SMS and post Twitter messages without the user’s consent.
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
- Investors Make $6M Bet on Manifest for SBOM Management Technology
- Entro Raises $6M to Tackle Secrets Sprawl
Latest News
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Dozens of Malicious Extensions Found in Chrome Web Store
