Researchers outwit Apple, plant malware in the App Store

'Jekyll' app assembles hidden attack code only after Apple's screened the software

1 2 Page 2
Page 2 of 2

But the review process, even if it was beefed up with personnel and the analysis done with different tools, would not stymie Jekyll apps, Wang and his team wrote in their paper.

"We argue that the task of making all apps in App Store vulnerability-free is not only theoretically and practically difficult, but also quite infeasible to Apple from an economic perspective because such attempts will significantly complicate the review tasks, and therefore, prolong the app review and approval process that is already deemed low in throughput by third-party app developers," they wrote.

With little chance of catching Jekyll apps during review, Apple should enhance iOS security to stymie such masquerading software at runtime, or when it's on an iPhone and active, Wang said.

They made several recommendations, including improving ASLR and providing a finer-grained permission model, but pointed out that hackers may be able to work around those defenses, too.

One way Apple could monitor apps at run time and thus stop Jekylls, was with "control-flow integrity" (CFI), an advanced anti-exploitation technology that requires code execution to follow pre-defined paths, and no others.

Ironically, Apple's rival Microsoft has been at the forefront of CFI research, with papers from its scientists going back to 2005. And last year, the winner of Microsoft's BlueHat Prize was awarded $250,000 for coming up with a "lightweight form of control flow integrity" to protect Windows against ROP, or "return-oriented programming" attacks.

"CFI is a very hot research topic right now," said Wang.

Wang and his team reported their findings to Apple in March, long before the paper was made public. "They said they appreciated the report," said Wang. But he was, like everyone else, in the dark about what Apple might do to block Jekylls from reaching the App Store, or failing that, from executing on iPhones.

Apple did not reply to a request for comment, but elsewhere the company has said it made changes in iOS in response.

According to Wang, iOS 7 is still vulnerable to the technique of hiding vulnerabilities in a Jekyll app and exploiting them after approval to do dirty work.

"However, Apple did enhance its sandbox policies," Wang said Tuesday in an email reply to follow-up questions. "Some of our attack instances no longer work, but we need to further figure our whether iOS 7 completely fixes the issues."

Apple has to do something, Wang argued. "It's not a big deal for a malicious app developer [to do this]," he said.

His recommendation to users? "Be very cautious when you download unknown, third-party apps," he said.

Good advice, certainly, because who wants Mr. Hyde on a rampage when they expected Dr. Jekyll at the door?

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon