The Georgia Institute of Technology researchers announced the claim when presenting their Jekyll on iOS: When Benign Apps Become Evil [PDF] paper at the Usenix Conference. The exploit works by loading malicious code into a seemingly innocent app and activating it after the app has cleared Apple's securing vetting.
"Apple adopts the mandatory app review and code-signing mechanisms to ensure that only approved apps can run on iOS devices. We present a novel attack method that fundamentally defeats both mechanisms. Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process," read the paper.
"Once the app passes the review and is installed on an end user's device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple's approval."
The researchers claim they have already successfully tested the exploit, proving it is possible to sneak a variety of malware onto Apple's iOS platform.
"We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll apps can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities," read the report.
Whether Apple is aware of the claims is currently unclear, and at the time of publishing the iPhone maker had not responded to V3's request for comment on the white paper.
Apple has so far managed to keep its iOS operating system malware free by maintaining it as a closed ecosystem. This means developers can only sell their wares on Apple's official App Store, which scans and vets all applications before allowing them into the marketplace. Earlier this year F-Secure security expert Mikko Hypponen praised Apple for its robust security, listing the App Store as one of the security community's greatest achievements.
F-Secure analyst Sean Sullivan told V3 that Apple security is still maintained despite the findings from the Georgia Institute of Technology, noting that the research has limited real-world implications.
“It’s interesting in theory, but not a big deal practically speaking. Apple’s App Store is a monopoly. And that makes it more secure – not because of technology – but because of economics,” he said.
“Anybody that is actually able to get their app ranked (or even noticed) and downloaded in any kind of significant numbers will not waste their time producing a Jekyll app. At least not for financial gain. If you can get noticed in the App Store, you can make much more money selling a legit app than you can a malware scheme. In theory, maybe you’d try a Jekyll app if you had some kind of political agenda.”
No comments:
Post a Comment