Every report on mobile threats that I've read adds new eye-popping numbers on the growth of malware aimed at Google's Android platform. But often overshadowed in the security doom and gloom over the most popular smartphone platform on the planet are the flaws in the fortress Apple has built around iOS, which powers the iPhone and iPad.
Among the many walls Apple has built to protect users of its mobile gadgets is the App Store. Unlike Google, which allows others to provide Android apps through their own online stores, Apple keeps that business all to itself. Not only does this keep big bucks flowing to Apple, it also makes the company the gatekeeper developers must pass.
From a security perspective, having one multi-billion-dollar company in charge of vetting all apps before they are sold or given away seems like a rock-solid strategy. But as a team of researchers from the Georgia Institute of Technology has shown, rocks can be broken with the right tools.
The scheme that bit Apple
In a paper presented this month at the USENIX Security Symposium, the researchers described how they were able to slip under Apple's radar and plant a bogus newsreader app that appeared benign, but contained some pretty nasty malware. Computerworld reporter Gregg Keizer does a fine job describing how Apple was outwitted, so you should give his story a read. The research paper, Jekyll on iOS: When Benign Apps Become Evil, is also available online for more of the technical details.
Nevertheless, for my purposes, a brief description of the researchers' cunning is needed.
Knowing that Apple would spot malware that's ready for mischief, the researchers broke their malicious logic into small pieces of code called "gadgets" and hid each piece behind the app's legitimate functionalities. They also planted a vulnerability that they could exploit when it came time for phase two.
Once they got their app pass the Apple sentry and onto the App Store, they downloaded their trickery on a controlled group of devices as a proof of concept of what could be done if they were actual bad guys.
Through the vulnerability, they were able to order the benign "Jekyll" app to assemble the gadgets, which quickly turned the app into its evil alter ego, similar to Dr. Jekyll's Mr. Hyde in the novel by Robert Louis Stevenson.
Now Apple has a number of features in iOS meant to neutralize malware, but they were not a problem for the Georgia Tech team. Once the malware was up and running, the researchers were able to post tweets on Twitter, record video, copy the device identity information, send email and text messages, make phone calls, attack other apps and even exploit vulnerabilities in the iOS kernel. All this could be done without the device user knowing.
The fix
The experiment was done with Apple's permission. The Jekyll app was removed from the App Store one it was downloaded to the control devices. No Apple customers had to contend with Mr. Hyde.
Apple seldom comments on its security and an interview request I sent to the company went unanswered. But Tielei Wang, one of the researchers, did get on the phone with me and provided his thoughts.
Apple's first slip-up was in missing the vulnerability the researchers had planted in the app to eventually launch the malware, he said. However, it's an "open question" whether Apple's scanners could pickup such a flaw, if it was designed into the app by a shrewd developer.
Even if Apple could catch such well-crafted holes, it would likely add an unacceptable amount of time to Apple's review process, making "a lot of Apple developers upset," Wang said.
What Apple could do to torpedo such an attack is to take a lesson from Google and limit apps to only the services on the phone or tablet that they need. Today, all apps get the same permissions, whether they need the services or not. This gives the successful hacker lots of options.
"In terms of the permission model, I think Apple should learn something from Android," Wang said.
Warning to Apple customers
More than 90 percent of mobile malware is designed for Android because it accounts for nearly 80 percent of the smartphone market. This is the same reason why the majority of PC malware is aimed at Windows.
In addition, security is dismal on many of the Android stores outside of the official Google Play, making it easy to insert malware-carrying apps.
But Apple fans should not feel smug. Overconfidence in Apple's app-checking process can get you into trouble.
"The vetting process cannot prevent all malicious apps," Wang said. "We demonstrated just one method to fool, or bypass, the vetting process."
Even in the safety of the App Store, users should choose their apps carefully and avoid unfamiliar brands that could have a Mr. Hyde lurking inside.