Researchers at Georgia Institute of Technology say they have developed what they call a “Jekyll app” for iOS devices that bypasses Apple’s security measures and can be used for a range of malicious purposes from sending tweets and dialing numbers to operating the camera.
In a paper presented this month at the USENIX Security Symposium in Washington, D.C., the researchers say their novel attack method defeats both Apple’s mandatory app review and code-signing mechanisms.
“Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process,” said the paper, prepared by Tielei Wang, Kangjie Lu, Long Lu, Simon Chung and Wenke Lee.
“Once the app passes the review and is installed on an end-user’s device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.”
The researchers said they implemented a proof-of-concept Jekyll app and published it in App Store. “We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.”
The “sandbox”, according to Apple’s app programming guide, is “a set of fine-grained controls that limit the app’s access to files, preferences, network resources, hardware, and so on. As part of the sandboxing process, the system installs each app in its own sandbox directory, which acts as the home for the app and its data. The purpose of a sandbox is to limit the damage that a compromised app can cause to the system.”
The Georgia Tech researchers said their attack did not try to achieve a jailbreak on iOS devices. “Instead, it takes advantage of the intrinsic incapability of the app review process and the design flaws of iOS to deliver various types of malicious operations remotely, which cannot be trivially addressed via software updates. Jekyll apps do not hinge on specific implementation flaws in iOS. They present an incomplete view of their logic (ie, control flows) to app reviewers, and obtain the signatures on the code gadgets that remote attackers can freely assemble at runtime by exploiting the planted vulnerabilities to carry out new (malicious) logic. In addition, the lack of runtime security monitoring on iOS makes it very hard to detect and prevent Jekyll apps.”
The researchers said they immediately removed the app from App Store once a group of experiment devices under their control had downloaded it.
“The download statistic provided by Apple later confirmed that the app had never been downloaded by any other users. We made a full disclosure of our attack scheme to Apple in March 2013 and have since been in correspondence with Apple.”
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us