A paper presented at last week's USENIX Security Symposium in Washington described how a group of security researchers at Georgia Tech were able to create a "novel method of attack" that can defeat the mandatory software review and code-signing mechanisms defending apps in the Apple App Store. The title of the paper was Jekyll on iOS.
The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.
We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.
So, the supposedly benign app gets approved by the App Store and then starts rearranging its code on the iOS client. It "phoned home" and requested new commands from the external malware site, according to Long Lu, one of the researchers, quoted in a report at the MIT Technology Review.
Lu says that by monitoring the app, they could tell that Apple ran it for only a few seconds prior to releasing it. During the review, the malicious code had been decomposed into “code gadgets” that were hidden under the cover of legitimate app operations and could be stitched together after approval. “The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu says.
Does this researcher-driven, white-hat attack mean that Apple's integrated security platform is not working? Nope, it simply means that Apple will plug this particular hole to prevent malware from sneaking in under the transom. Certainly, iOS is still much more secure than the Android ecosystem, which is open.
In April, Symantec's Security Threat Report said that 108 new malicious programs for mobile devices were identified in 2012 by the company and 95 percent were aimed at Android devices. A single threat was aimed at iOS operating system, Symantec said. Now, as we know, this low rate can't be because iOS is so much stronger than Android. And with iOS's early entree to the market, it has been more-scrutinized by security researchers, who have discovered plenty of vulnerabilities.
The lack of actual exploits on iOS must be attributed to the success of the Apple integrated approach combining sandboxing and a closed software distribution system. More than 90 percent of iOS users run iOS 6 (versus some 30 percent on Android). The groups of iOS devices most open to malware are the ones that have been jailbroken (in a sense making them more like Android devices), and the ones that are used as solo devices away from iTunes on either Macs or Windows.
In fact, the Georgia Tech exploit report should remind iOS users to always make sure they are running the latest version of iOS, which contains the latest security patches, and to always back up their apps and data with iTunes. This backup ensures that in the case that some malware app is downloaded, the device can be wiped and restored with data intact.
Now, this isn't the first time when there's been a kerfuffle over security or the perceived lack of security in an Apple platform. Take OS X on the Macintosh, for example. Back in the days of the Apple- and PC-guy ads, there was one where John Hodgman sneezes and walks over to the Mac guy and tells him that he has a virus that's going around. "Don't be a hero," he warns. Mr. Mac responds that he's not worried and there's no concern that he will get one of the Windows viruses. The concern for Mac malware at the time was almost negligible.
In many ways, the situation remains the same today, but with a twist. There are very few Mac viruses in the wild. I recall that I've been infected perhaps one time in 30 years. I've never had a malware attack on my modern, Intel-based Mac that targeted OS X or Mac applications itself. However, like many other Mac users, I have Windows installed on my Mac and that's the primary vector for attacks. My anti-malware programs catches a few problems in attachments every day, all are for Windows. Many years ago, I had a macro virus exploit, but that was because it targeted Microsoft Office, a cross-platform opportunity.
I've always been intrigued by the fact that the Mac — and now iOS — are the most homogeneous computing platforms in the world, unlike their respective Windows and Android competition. That should make the Apple platforms more vulnerable to a concerted attack by malware makers. Instead, the Apple OSes have the better real-world records in the exploit department.