Apple's iOS still more secure than Android despite spoof of App Store

Apple's iOS still more secure than Android despite spoof of App Store

Summary: A team at Georgia Tech reports that it was able to upload a fake malware app to the Apple App Store. However, this event doesn't mean that Android is now the better choice when it comes to security.


A paper presented at last week's USENIX Security Symposium in Washington described how a group of security researchers at Georgia Tech were able to create a "novel method of attack" that can defeat the mandatory software review and code-signing mechanisms defending apps in the Apple App Store. The title of the paper was Jekyll on iOS.

The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.

We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.

So, the supposedly benign app gets approved by the App Store and then starts rearranging its code on the iOS client. It "phoned home" and requested new commands from the external malware site, according to Long Lu, one of the researchers, quoted in a report at the MIT Technology Review.

Lu says that by monitoring the app, they could tell that Apple ran it for only a few seconds prior to releasing it. During the review, the malicious code had been decomposed into “code gadgets” that were hidden under the cover of legitimate app operations and could be stitched together after approval. “The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu says.

Does this researcher-driven, white-hat attack mean that Apple's integrated security platform is not working? Nope, it simply means that Apple will plug this particular hole to prevent malware from sneaking in under the transom. Certainly, iOS is still much more secure than the Android ecosystem, which is open.

In April, Symantec's Security Threat Report said that 108 new malicious programs for mobile devices were identified in 2012 by the company and 95 percent were aimed at Android devices. A single threat was aimed at iOS operating system, Symantec said. Now, as we know, this low rate can't be because iOS is so much stronger than Android. And with iOS's early entree to the market, it has been more-scrutinized by security researchers, who have discovered plenty of vulnerabilities.

The lack of actual exploits on iOS must be attributed to the success of the Apple integrated approach combining sandboxing and a closed software distribution system. More than 90 percent of iOS users run iOS 6 (versus some 30 percent on Android). The groups of iOS devices most open to malware are the ones that have been jailbroken (in a sense making them more like Android devices), and the ones that are used as solo devices away from iTunes on either Macs or Windows.

In fact, the Georgia Tech exploit report should remind iOS users to always make sure they are running the latest version of iOS, which contains the latest security patches, and to always back up their apps and data with iTunes. This backup ensures that in the case that some malware app is downloaded, the device can be wiped and restored with data intact.

Check Out: Overthinking the Mac-Human relationship

Now, this isn't the first time when there's been a kerfuffle over security or the perceived lack of security in an Apple platform. Take OS X on the Macintosh, for example. Back in the days of the Apple- and PC-guy ads, there was one where John Hodgman sneezes and walks over to the Mac guy and tells him that he has a virus that's going around. "Don't be a hero," he warns. Mr. Mac responds that he's not worried and there's no concern that he will get one of the Windows viruses. The concern for Mac malware at the time was almost negligible.

In many ways, the situation remains the same today, but with a twist. There are very few Mac viruses in the wild. I recall that I've been infected perhaps one time in 30 years. I've never had a malware attack on my modern, Intel-based Mac that targeted OS X or Mac applications itself. However, like many other Mac users, I have Windows installed on my Mac and that's the primary vector for attacks. My anti-malware programs catches a few problems in attachments every day, all are for Windows. Many years ago, I had a macro virus exploit, but that was because it targeted Microsoft Office, a cross-platform opportunity.

I've always been intrigued by the fact that the Mac — and now iOS — are the most homogeneous computing platforms in the world, unlike their respective Windows and Android competition. That should make the Apple platforms more vulnerable to a concerted attack by malware makers. Instead, the Apple OSes have the better real-world records in the exploit department.

Topics: Apple, Android, iOS, iPhone, iPad, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • no, its not ;)

    the proofs search with google:

    "iPhones most vulnerable among smartphones"
    "Apple iOS Apps Leak More Personal Info Than Android"
    "40% of iOS popular apps invade your privacy without any permission."
    "How Apple and Amazon Security Flaws Led to My Epic Hacking"
    • It is OK....

      Calm down, no need to get too excited over one overly defensive blog post of an iFan.
      This blog sounds a bit like a cheating husband: "No, it is not what it looks like!"
      • OK

        but you know, Apple can change public opinion by these paid "opinions" I just copy a few articles full of facts in compare to this article, so is easy to me :)
        • Lol!

          You posted articles of facts??? Oh that's funny right there. No, you posted link baiting titles to support your claims.

          Fact is, iOS is more secure. Period.
          • Facts are IOs got hacked 3 times

            Across the ecosystem under a month with serious hacks:

            - Developer network beached, who knows what has been compromised.
            - The incident spoken of in this article, where white hack researchers proved innocuous apps can compromise users security.
            - Hardware across IOs connector can compromise any device.

            No fix has been issued by Apple on two, the developer network is up and running, though no news on what has been compromised.

            Android security concerns are:
            - Bitcoins, does not affect all the ecosystem. Fix issued already.
            - Blue Box Security alleged that they were able to compromise all apps on an HTC phone and alleged that it affects the ecosystem. Remains to be proven. Android security bug 8219321.

            These are facts that prove Android ecosystem is a safer haven than IOs, specially considering our has a greater amount of attack vectors and has a greater market share.
          • Android has not been hacked.

            IOs has.

            These are the facts.
          • The author makes assumptions

            To prove his point:

            That because Android has 95 percent of a given threat list of a low level security provider on Android McAfee (must users use Lookout) look at how many downplays each has.

            He doesn't take into account market share and where majority of the threats are located Asia, where users use unapproved app stores and IOs is a blimp of the market share.

            That was real professional on his part.
          • Seriously?

            What about this?

            Maria Davidenko
          • just

            Just messaging if you don't install stupid apps you don't need to care ;)
          • Don't install, sure

            You know, most of the time average user installs stupid apps. And PlayStore doesn't even try to control the process, so that stupid apps won't enter the store. The users sometimes install the apps in order to install, keeping nothing else in mind. I saw it by my own eyes on experienced users, not average
            Maria Davidenko
          • Maria

            I voted for your comment, the vote count went DOWN. This is ZDNET for you. How could this happen? There is no down-voting! This happened twice.
          • No clue.

            Sounds like a bug. :-) What comment did you vote?(thanks)
            Maria Davidenko
          • I think they divide the votes.

            For example, if it is running 10 Votes, 5 flags, the next one to vote it will show 2Votes, 1 Flag.

            But somehow I think they still have it wrong as it is not weighted correctly after each re-average.
            The Danger is Microsoft
          • Strange

            Votes by flags? Hmm... I'm sure there's some logics after this subtraction. :-)
            Maria Davidenko
          • Maybe they have the maximal number of votes and flags per question

            Though sounds unbelievable... :-)
            Maria Davidenko
          • It's a Simple Glitch, Nothing More!

            First vote you enter changes all the following totals to same as the one you click on. As you go down the comments, the real count is actually showing previous count of comment you just clicked on. After the click, it's giving you the proper count. That's all that's happening. They aren't taking away your vote or doctoring votes. It's a glitch in whatever traffic counter off site tool being used!
          • Maria

            You are right! Plus 99% of all android end users accept the app installation without reading what the app will do their system.

            Without the PlayStore accepting any responsibility to perform any checking that leaves who knows if their Android phone is calling "home" to a hacker haven.
          • Without the PlayStore accepting any responsibility

            They don't want to take the responsibility, this is too complicated. They rather will say this is the "open world".
            The users are users, there is nothing we can do with this behaviour , you've mentioned. We can not educate them all, it is simply impossible. All we can do is to try to prevent the breaches. But Google even doesn't try. Android developers themselves say Android more vulnerable, than iOS! There could be the greatest debates about open world of Android and "closed world" of Apple, but in case of the security there can't be debate: Android is the most vulnerable mobile OS because of its open nature.
            Maria Davidenko
          • to lying Maria

            no, Android is not the most vulnerable, you just write your probably paid opinion without facts (called FUD), facts are these that you can find with google and read more:

            "iPhones most vulnerable among smartphones"
            "Apple iOS Apps Leak More Personal Info Than Android"
            "40% of iOS popular apps invade your privacy without any permission."
            "How Apple and Amazon Security Flaws Led to My Epic Hacking"
          • Paid opinion????????????

            Excuse me, are you normal(I'd use another word here, but I dont want to take this discussion down to the private level,like you do it)??? Paid opinion? If my opinion was paid , why you see it just in few discussions, involving iOS ONLY? You're nothing more then a lier,unable to turn on your logics and think according to it! Just a simple logics, nothing more! Open your door - everyone will enter, close it - some will think whether they want to enter or not. Paid opinion,well well.. Till I've registered account on ZDNet 2 years ago, I didn't know such thing like "paid opinion".
            Maria Davidenko