"Jekyll" Test Attack Sneaks Through Apple App Store, Wreaks Havoc

An anonymous reader writes "A malware test app sneaked through Apple's review process disguised as a harmless app, and then re-assembled itself into an aggressive attacker even while running inside the iOS 'sandbox' designed to isolate apps and data from each other. The app, dubbed Jekyll, was helped by Apple's review process. The malware designers, a research team from Georgia Institute of Technology's Information Security Center, were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn't anywhere near long enough to discover Jekyll's deceitful nature."

BUT MACS DON'T GET ...

BUT MACS DON'T GET VIRUSES.
 
Unless they're too slow.

Re:BUT MACS DON'T GET ...

[Immerman]

Why waste your time with viruses when people will pay to run your Trojan?

Re:BUT MACS DON'T GET ...

[rudy_wayne]

But Macs DON'T GET VIRUSES.

Except when they do.

Fixed that for you.

Re:BUT MACS DON'T GET ...

[CanHasDIY]

Heh, remember when Apple changed the info on their page from "DOES NOT GET VIRUSES" to "DOES NOT GET PC VIRUSES"?

That was classic.

Re:BUT MACS DON'T GET ...

[Samantha+Wright]

iOS still has a lot going on under the floorboards that's a rather faithful ARM port of OS X. At least for the pertinent intents and purposes, it's pretty safe to say iPhones are Macs. And stuff.

Re:BUT MACS DON'T GET ...

[ColdWetDog]

No, I believe it was OS X.

Re:BUT MACS DON'T GET ...

[CanHasDIY]

No, I believe it was OS X.

I believe you're right.

That does bring to mind an interesting, slightly OT question - if the new Microsoft OS for phones and tablets is basically the same as Windows 8, does that mean they will all be affected by the same malware?

Re:BUT MACS DON'T GET ...

[ewibble]

But Macs DON'T GET VIRUSES.

Except when they do.

Fixed that for you.

If I remember correctly believe the statement from apple was: (there was an article a long time ago so I could be wrong)

But Macs DON'T GET PC VIRUSES.

well except when they are running on a cross platform VM. Marketing weasel words.

Re:BUT MACS DON'T GET ...

Funny... Typical iHating apple-bashing for no other reason than just to make yourselves feel better.

The research was a very interesting read. That being said, I will GLADLY put more trust into Apple's curated App store than the open wild-west mess that Android is. It takes researches running proof-of-concepts to try to slip something into the App Store. How many apps have been reported on iOS since the iPhone was first introduced found to be nefarious in nature?? I dunno... five? Six? Ten??

How many apps for Android have been reported to contain malware of some kind? I dunno know... but a simple Google search pretty much says it all. So much in fact, that when yet another hourly-malware discovery is reported for Android, it's a non-event.

Keep sipping your iHating kool-aid. No system is 100% secure. Period. At least Apple does far more work to reach that milestone than Google/Android ever will.

Re: BUT MACS DON'T GET ...

http://www.google.com.au/m?q=hypocrite

Now that we got that sorted ...
One of those systems (Android or IOS) will tell me what an App is capable of before I download an app. For example, network access, access to phone book, etc.
As you are not only a hypocrite,you are also highly biased ... so I'll ignore your answer on which OS leaves me in the dark about such fundamental security considerations.

I thought the Apple acolytes had all but died, I was mistaken.

Sent from my iPhone.

Re:BUT MACS DON'T GET ...

Virus does not equal Trojans. iOS not equal to Macs.

Re:BUT MACS DON'T GET ...

[Aaden42]

If they're x86 tables & phones, potentially, though I'd suspect there are some gotchas that would make existing malware unlikely to run as-is. ARM based devices would be immune to x86-targeted malware.

Re: BUT MACS DON'T GET ...

[Aaden42]

Access to contacts, calendar, camera, and a number of other "sensitive" data stores on iOS requires your permission. Compared to Android, rather than asking at install (and preventing you from running the app if you'd rather not grant access), iOS asks at runtime, and you can revoke that access at any time after install. You're given the choice of still running an app in a restricted fashion by denying permission to access certain API's. In order to pass the review process, apps must operate in a reasonable manner if permission is refused or revoked. (Reasonable? A camera app denied camera probably can't do much, but an IM app can still work with a local contact list if you deny it access to your iOS contacts.)

While I'll admit the geek in me might want a few more fobs to tweak than iOS has, I think they reached a good compromise where your average Mom can have some chance of making a sensibly informed decision as to whether an app is seeking too much access or not. Android's granular permissions are WAY beyond what any mortal could be expected to comprehend. Controlling or restricting network access (WiFi only!) would be a nice touch, but in fairness, most of the apps that need it already include the option in their own preferences. Beyond that, most of the things that are additional permissions on Android are forbidden or allowed only in limited conditions (background execution). As a developer, the restrictions are annoying, and there are probably some additional things I could do with my apps if they weren't there. As an end-user, most of those restrictions directly translate to better battery life, a more stable device (nothing in the background eating RAM or CPU cycles) and reduced bandwidth usage. Overall, the balance is I think to the favor of the end-user.

Having developed for iOS since the opening of the AppStore as well as recently for Android, I definitely prefer the iOS model of being able to run an app and deny it permissions piecemeal rather than the Android model of only being able to refuse to run the app completely if it's overreaching. That said, it would be nifty if Apple would add fields in the AppStore listing to show what an app is going to request, giving the best of both I think.

Re:BUT MACS DON'T GET ...

it was a trojan, not a virus, stupid!

Re:BUT MACS DON'T GET ...

[Myopic]

It's not a Mac, and it's not a virus, so actually I don't get his point.

"If you run a program on your computer, that program can do stuff to your computer, so maybe don't run malicious software on your computer."

I literally can't think of a way to avoid that. It's pretty fundamental to how computers work.

Re: BUT MACS DON'T GET ...

It would be uber nice if Android adopted a system like that, but it can be acquired with root privileges. And if any app refuses to run because it requests permissions it doesn't need, then I don't need that app.

Re:BUT MACS DON'T GET ...

And I believe, Mac is a PC. So if it does get ANY viruses on modern Intel platform - it DOES get PC viruses.

Re:BUT MACS DON'T GET ...

Are you sure? Have you checked both of them?

Re:BUT MACS DON'T GET ...

[RaceProUK]

Newsflash: All OSes have about the same amount of vulnerabilities (or are at least in the same ballpark). The difference is how many are actively exploited. This is why there's a perception of (desktop) Windows and Android being more vulnerable - their popularity makes them attractive and profitable targets.

Re: BUT MACS DON'T GET ...

[Rational]

Interestingly, for many years iOS had a greater market share and a much greater installed base than Android, not to mention generally more affluent users. Where was all the iOS malware then?

Re: BUT MACS DON'T GET ...

[RaceProUK]

Down the back of the sofa? It's somewhat of a moot point though, as there's far fewer outdated versions of iOS live compared to Windows/Android.

Re:BUT MACS DON'T GET ...

[AmiMoJo]

OS X lets you run arbitrary code. Is that not a pertinent intent or purpose?

Re:BUT MACS DON'T GET ...

[Samantha+Wright]

Well, it looks like the app store pretty much just contains arbitrary code too! Good work, Apple reviewing team!

Apple review process = a few seconds?

There is no point to the closed system if you let just anyone come in.

Re:Apple review process = a few seconds?

There is no point to the closed system if you let just anyone come in.

Of course there is, silly! It's called "style". More specifically, "illusion of security", which is a style. Apple's big on that sort of thing, you know.

Re:Apple review process = a few seconds?

I found it shocking that they ran it for only a few seconds. I would have expected them to have at least run through all screens/features of the app to ensure that it does what it claims to do. This is a classic case of prioritising volume instead of quality.

Re:Apple review process = a few seconds?

Not true. A closed system can be used to ban competitors whose work you plan to steal.

Re:Apple review process = a few seconds?

[stewsters]

I know some people who were working on an MMO, and during the testing phase someone created an account, logged into the server, walked about 10 feed, opened an escape menu and left, and they were approved. I assume they have some sort of automated scans too, but it doesn't seem like the walled garden provides much security, only an additional chance to charge people.

Re:Apple review process = a few seconds?

True, I meant from security standpoint. Of course it gives you the power to abuse the process.

Re:Apple review process = a few seconds?

[h4rr4r]

Sure there is.
They get a cut of all software on the platform. That is the entire point.

Re:Apple review process = a few seconds?

[Sarten-X]

Checklist for approval:

• Does the app crash on our profiler?
• Does the app look like it does something useful?
• Will users feel like they've been lied to by the App Store listing?

Note that Apple's motivation is not to ensure that only quality apps get into the store. Rather, they just want to make sure that the store itself isn't tarnished. If 30% of your downloaded apps are just shells around scam-laden videos, you'll stop using the store, so they just test each app long enough to make sure that it kinda-sorta does what's claimed. Any problems after that are going to be blamed on the developer, not Apple.

Re:Apple review process = a few seconds?

[PIBM]

I've had a game published which wasn't even started, or approved while only displaying 'an internet connection is required to proceed'. It's hard to be checked out less than this..

Re:Apple review process = a few seconds?

Because Google takes no cut from software sold through its store?

Re:Apple review process = a few seconds?

[h4rr4r]

Not from any apps sold via the Amazon Appstore for Android.

The entire point of Apple's closed system is that they are the only publisher of software for the platform. This means they get a cut of sales no matter what.

Re:Apple review process = a few seconds?

Without knowing much about the setup, I'm kind of doubtful that they can have a high level of confidence that it really ran for a few seconds. If I were testing apps like this, I'd run a good bit of my testing on a disposable VM with a faked network. That way it couldn't send connections out and any self-modification it did while in the test harness would be ignored, so nobody but me would have any way of knowing what went on in the harness

Re:Apple review process = a few seconds?

[Desler]

Not from any apps sold via the Amazon Appstore for Android.

You've just changed middlemen. They still take a cut.

The entire point of Apple's closed system is that they are the only publisher of software for the platform. This means they get a cut of sales no matter what.

So no different than any other mobile store.

Re:Apple review process = a few seconds?

[h4rr4r]

You could also distribute the app via your own website.

Quite different from other mobile stores. Since there is more than one option. You are even free to become your own publisher with no middleman.

Re:Apple review process = a few seconds?

[Nerdfest]

The point of Android is openness and choice. If you don't like Amazon getting a cut, use F-Droid, manually load APK files, or use one of the many other sources for Android applications. Apple is very difdferent than most other software repositories in that it's the only one you are allowed to use. Microsoft is pushing hard for this model with Windows 8 and their Metro apps an it's very profitable and you can lock out competition if you wish.

Re:Apple review process = a few seconds?

[gl4ss]

you can go without a middleman for android apps.. all android devices allow you to install apk's.

now that is a large difference to iOS or windows phone.

if you don't see the difference then you're a fucking moron, the other os allows you to point to a file on any fucking webserver and the other doesn't. the other platform allows you to install anything without the device(or os) manufacturer greenlighting the app while the other censors whatever the fuck it wants that week to censor.

Re:Apple review process = a few seconds?

[CanHasDIY]

Not from any apps sold via the Amazon Appstore for Android.

The entire point of Apple's closed system is that they are the only publisher of software for the platform. This means they get a cut of sales no matter what.

Plus the cut they get from charging $99/yr for the privilege of developing iOS apps.

Re:Apple review process = a few seconds?

[cbhacking]

You mean, aside from the fact that Win8 "Modern" (the interface formerly known as Metro) apps are allowed to be sideloaded? That enabling sideloading can be done by anybody with Admin access to the machine in question, even on the otherwise-locked-down Windows RT (yes, Admin is available by default on RT)?

MS would surely *like* that cut, but they aren't locking out alternative distribution... although admittedly they are discouraging it.

Re:Apple review process = a few seconds?

[Nerdfest]

Microsoft offers free developer licenses for Windows 8. These licenses allow developers to test and evaluate their apps before submitting them to the Windows Store. Each developer license license will expire after some time, but you can repeat the process to acquire a new license in the future.

Is that no longer accurate?

Re:Apple review process = a few seconds?

[tlhIngan]

Checklist for approval:
Does the app crash on our profiler?
Does the app look like it does something useful?
Will users feel like they've been lied to by the App Store listing?

Note that Apple's motivation is not to ensure that only quality apps get into the store. Rather, they just want to make sure that the store itself isn't tarnished. If 30% of your downloaded apps are just shells around scam-laden videos, you'll stop using the store, so they just test each app long enough to make sure that it kinda-sorta does what's claimed. Any problems after that are going to be blamed on the developer, not Apple.

Not to mention none of the things the app does violate the security of the system. All the stuff it can do - take photos, steal your information (contacts, etc), and other things are stuff any app can do - they're not accessing any APIs they're not allowed to or anything else.

Granted, perhaps some of the things it does it shouldn't have access to (e.g., contacts and such), but that's something that's changing in iOS7 anyways.

At best, it's really a user-level piece of malware that can't touch the system and still has to live within the restrictions of an app. It's not getting access that an app doesn't already have, and it's not violating any security restrictions that apps have either (so no, it's not a jailbreak). About the only thing is what took it so long...?

Re:Apple review process = a few seconds?

Except that you can download directly or use one of the several other app stores. So, not the same.

Re:Apple review process = a few seconds?

[Bogtha]

Granted, perhaps some of the things it does it shouldn't have access to (e.g., contacts and such), but that's something that's changing in iOS7 anyways.

Apple already prompts the user for address book access in iOS 6. iOS 7 adds camera and microphone I think.

Re:Apple review process = a few seconds?

[Pieroxy]

I've had a game published which wasn't even started, or approved while only displaying 'an internet connection is required to proceed'. It's hard to be checked out less than this..

Did you get rich selling plenty of this game?

Re:Apple review process = a few seconds?

[Pieroxy]

Without knowing much about the setup, I'm kind of doubtful that they can have a high level of confidence that it really ran for a few seconds. If I were testing apps like this, I'd run a good bit of my testing on a disposable VM with a faked network. That way it couldn't send connections out and any self-modification it did while in the test harness would be ignored, so nobody but me would have any way of knowing what went on in the harness

In other words, you would reject any app relying on a webservice somewhere on the internet. Good policy I guess. Nobody needs Instagram, Facebook of Twitter apps.

Re:Apple review process = a few seconds?

[Pieroxy]

This means they get a cut of sales no matter what.

Which is not the point of the whole thing, by they own word and their own accountants. Did you see the dent AppStore sales makes on their overall profit margin? Do you really think they did all that JUST for the money? Do you think they got where they are by being this shortsightedly stupid?

I'm not a fanboy or anything, but give some credit to Jobs. If he was that dumbfuck stupid he wouldn't have died 1000000 times as rich as you will.

Re:Apple review process = a few seconds?

[AmiMoJo]

So as long as the hardcore porn only kicks in after the Colouring Fun For Kids app after 11 seconds Apple will approve it. Good job.

Re:Apple review process = a few seconds?

[AmiMoJo]

Sure they can, just make the app require an active internet connection and do nothing other than display a message saying "no internet" otherwise. Only launch the attack when you know you can communicate with the researcher's server.

Remember, the goal here was to probe the vetting process, so it's reasonable to assume they anticipated common techniques like isolated VMs.

Re:Apple review process = a few seconds?

or you know - if this were a real attack, once the first handful of people were affected, it would be reported and removed.
(And if particularly nasty could be retroactively removed fro anyone who had already downloaded it)

Re:Apple review process = a few seconds?

[exomondo]

If I were testing apps like this, I'd run a good bit of my testing on a disposable VM with a faked network.

Meaning any application that required web services wouldn't work...great plan!

Re:Apple review process = a few seconds?

Any long time developers on any platform care to chime in?
When Apple opened the iPhone to outside developers, I recall people scoffing at $99 until someone noted developing for Palm (or whatever the mobile platform of the day) cost $500.

Re:Apple review process = a few seconds?

This certainly didn't used to be true. During 2010 and 2011 I had apps tested where during the review process I saw pictures of the lunchroom at 1 Infinite Loop posted via the app, and a game that posted highscores. But I suspect the app store "review" model has finally broken down under the weight of its own success... Last fall I saw a new app approved that literally crashed at startup. I posted AC because I'm still embarrassed that a bug like that slipped in, but.. that really tells you something about the quality of the "review".

Re:Apple review process = a few seconds?

Well, in 2012 you could already publish things like this and even get to the chart tops.

Re:Apple review process = a few seconds?

[readingaccount]

Nobody needs Instagram, Facebook of Twitter apps

If the world lost such apps, it would be just that litter bit nicer to live in I think.

Re:Apple review process = a few seconds?

At best, it's really a user-level piece of malware that can't touch the system and still has to live within the restrictions of an app

It'd be so awesome if someone would get an official app in the app-store that would become ultra-popular under some other pretense and then mass-jailbreak phones. :-D

Re:Apple review process = a few seconds?

Huh? Ever heard of proxies? And don't tell me about encryption, if we already have the key!

Re:Apple review process = a few seconds?

[Immerman]

Don't forget the disapproval checklist:
        Does the app compete with any of our own current or future products in any way?
        Does the app violate the sensibilities of the reviewer, his boss, or her mother-in-law's cat?
        Is my coffee cold?

Re:Apple review process = a few seconds?

[Pieroxy]

No weather app either, no email client, no RSS reader, no Dropbox, no phone/sms app, no Shazam, no browser, no GPS app (iOS, Waze, Google all rely on the net) no SSH client, no client for your favorite website (fandango, wikipedia, google, imdb, yammer,)...

The list is long the the GGP's comment was idiotic. That was just my point.

Re:Apple review process = a few seconds?

[readingaccount]

Nah, I get your point. Figured I'd just have a bit of fun at the examples you originally posted, but you're right, the previous poster was way too broad.

Re:Apple review process = a few seconds?

Not anyone. Just the trustworthy looking people. And if they mess up, you can immediately kick them out.

Re:Apple review process = a few seconds?

"Nobody needs Instagram, Facebook of Twitter apps."

I couldn't agree more.

Apple Security Team

So...it has come to get this...

Wreak Havoc seems a bit overblown

[glennrrr]

Since it was just a proof of concept and was on the store for a few moments.

Re:Wreak Havoc seems a bit overblown

They needed 'wreaks havoc' to meet the Headline Hyperbole Quotient for the story. Any story about Apple, Microsoft or Google now requires a significant HHQ.

Re:Wreak Havoc seems a bit overblown

Depends on how you restrict your concept of havoc. The amount of tardy kerfluffle about this exploit, and the potential future impacts could be considered to constitute havoc.

Re:Wreak Havoc seems a bit overblown

[Freshly+Exhumed]

You are showing your human bias. Think in terms of clock ticks and the amount that can be accomplished by a computing device in "a few moments" and it becomes clear that "Wreak Havoc" is justifiable even if harm wasn't necessarily found after their analysis.

Re:Wreak Havoc seems a bit overblown

Probably wreaked havoc on the career of the monkey who approved it.

Re:Wreak Havoc seems a bit overblown

Reminds me of this scene from First Contact:

(Picard drains the coolant, finds the Borg Queen's head and neck that is still blinking. He breaks the neck)
DATA: Captain.
PICARD: Data, ...are you all right?
DATA: I would imagine that I look worse than I ...feel. ...Strange. ...Part of me is sorry she is dead.
PICARD: She was unique.
DATA: She brought me closer to humanity than I could have thought possible. And for a time I was tempted by her offer.
PICARD: How long a time?
DATA: Zero point six eight seconds, sir. For an android ...that is nearly an eternity.

Re:Wreak Havoc seems a bit overblown

Perhaps it is referring to the cognitive dissonance experienced by Apple fanboys who believe the delusion that the Apple app store is magically more secure than the Google store.

Re:Wreak Havoc seems a bit overblown

[sl4shd0rk]

was on the store for a few moments.

Agreed. All iOS apps claiming to be "malware" need to actually destroy something or we aren't going to believe you could actually do it.

Re:Wreak Havoc seems a bit overblown

[Zalbik]

Since it was just a proof of concept and was on the store for a few moments.

Yes, but it was only on the app store for a few minutes due to the researchers removing it:

"The researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm.”

A better headline may have been:
"Researchers demonstrate that havoc-wreaking malware can bypass Apple's app store review process"

Re:Wreak Havoc seems a bit overblown

You are showing your human bias. Think in terms of clock ticks and the amount that can be accomplished by a computing device in "a few moments"

You are also showing your bias, but in the other direction. If I was writing malware designed to slide past user awareness, I'd have a sleep timer so that stuff wouldn't start acting funny immediately after they installed my app. And so it wouldn't get caught by malware scanners.

Re: Wreak Havoc seems a bit overblown

I just flipped the bird to an Apple acolyte, so fair is fair...

If you compare the track record of IOS, it's streets ahead if Android for the number of, and percentage of rogue apps. Apple has historically been much safer.

Apple should be able to do an API call analysis to help identify secrurity risks of apps ... Why not inform the user of those risks?

Re: Wreak Havoc seems a bit overblown

[EGSonikku]

Malware that has reach end users on the App Store can be counted on your fingers. Do you *really* want to compare that to Android malware figures?

You can argue *why* that is, but reality begs to differ that App Store security is a 'delusion'.

Re:Wreak Havoc seems a bit overblown

Oh silly Apple apologists.

Re: Wreak Havoc seems a bit overblown

Malware that has reach end users on the App Store can be counted on your fingers. Do you *really* want to compare that to Android malware figures?

You can argue *why* that is, but reality begs to differ that App Store security is a 'delusion'.

Forgive me, but I can't see above in this thread of someone saying App Store security is a delusion, or mentioning Android.

But for arguments sake, I'd address your point: The why of this is the most important part. If few make it through because "The App Store has great security" then great.
If its because people believe its better so don't try to find the vulnerabilities or due to lower market share or due to a better manage reputation or almost anything else. the protection gained can dissipate very quickly with a few cases like this, much like a delusion.

As you said, the why can be argued. Dispite the figures, its always worth having the discussion.

.

iOS apps -- can they self-modify?

[swb]

Let's say you submit an app to the app store, and like many it's designed to do something fairly idiotic that today's kids find funny, say, take a picture and then superimpose the picture onto a set of background images included with the app.

Now, let's say the app writer has steganographically embedded "naughty" code in the background images, maybe even going so far as to spread the code across all the images, encrypt, etc. to make it difficult to find.

Can the app modify itself by taking its hidden code from the images and actually execute it? Can you download "new" code from the internet, even if its steganographically hidden? It seems like you shouldn't be able to do this, like the apps should be sandboxed from modifying their own code just to prevent importing unapproved code.

Re:iOS apps -- can they self-modify?

[schneidafunk]

From my understanding, compiled code is reviewed once. However, in the cell phone app that I made, a lot of content was pulled from a database that I controlled, meaning product information could be updated by me without the need of review from Apple. We joked about replacing images with NSFW images, but I imagine what this team did was have a compiled app that ran code from a DB and was similarly able to be updated later.

Re:iOS apps -- can they self-modify?

I don't think you even have to let the app modify itself. You could hide some kind of simple but obfuscated interpreter inside the app, and run hidden code from images through the interpreter.

Re:iOS apps -- can they self-modify?

[stewsters]

How would you stop it? Code is just instructions, you make it scan the image (easily concealable for an image editing program) and then have the poorly written (or obfuscated) objective c code conceal code that executes the data in the image. Without removing all inputs its hard to do.

Re:iOS apps -- can they self-modify?

[h4rr4r]

Why would it need to modify its own code?
Why not just have an interpreter in there to begin with? Or just have a simple date check. Don't be evil for X days.

Since they only have the compiled program they have no idea what it will do in the future.

Re:iOS apps -- can they self-modify?

[sjames]

Build an interpreter into the app. No need for it to modify it's own code, just the data that tells it when to do what.

Re:iOS apps -- can they self-modify?

[Bogtha]

For the most part, yes, but not in the way you think. Objective-C is a very dynamic language. It's not really about sandboxing - apps can't modify their own code. What they can do is include components that do fairly generic, innocuous things, then take external input and construct messages to those existing components on the fly based on that input.

Re:iOS apps -- can they self-modify?

[cusco]

One of the voting machine vendors (not Diebold) actually did this in order to pass testing to get approval. From Date 01 to Date 07 it would only run locally available code, but then from Date 08 onwards it would check for scripts available on the inserted compact flash card and run them if they existed. The CF cards were only supposed to be used for recording votes, but the company was also using it to update the machine's firmware. No one knows for sure whether the scripts were used to change votes or anything else, but the possibility was certainly there.

Re:iOS apps -- can they self-modify?

[gnasher719]

Can the app modify itself by taking its hidden code from the images and actually execute it? Can you download "new" code from the internet, even if its steganographically hidden? It seems like you shouldn't be able to do this, like the apps should be sandboxed from modifying their own code just to prevent importing unapproved code.

It may be quite possible that you can create code on the fly. However, the app is still sandboxed. It has permissions, and it cannot do anything that it isn't permitted to do. Which _should_ be a protection against viruses (even if some virus or malware can attack your app, it cannot break out of the sandbox and do things that the app isn't allowed to do), but it also protects against the app maker doing naughty things himself.

Re:iOS apps -- can they self-modify?

[Impy+the+Impiuos+Imp]

A scripting engine with hooks for vital system calls and arbitrary address writes via script parameter could get around compiled code requirements in any case.

Re:iOS apps -- can they self-modify?

You stop it w/ what is known as dynamic code signature verification. This is implemented as part of the virtual memory pager. In a nutshell, each page in the text section of the app's executable is signed, and the section/pages are set to read/execute only. If an attempt to set a page to execute occurs later, the signature for that page is checked, and if that fails (i.e. was not executable code originally included in the approved & signed app), then the executable is terminated.

Jekyll does not "just execute more hidden code". It embeds ROP gadgets that can be used in a "special way" to execute code that is already within the executable and signed/approved, but in a different way (reuse instruction sequences to form a ROP chain/stuff to be executed).

Re: iOS apps -- can they self-modify?

Or just use sleeper code that's triggered after a certain date and/or time. Sand boxing won't help there...

Re: iOS apps -- can they self-modify?

[watice]

to which the apple reviewer should simulate your app running on more than just one day/occurrence.. my experience has been mixed. New apps take forever to get approved for me, but updates are pretty quick, 3 days or so.

Re:iOS apps -- can they self-modify?

The votes could be switched in either direction, technically, but in this day and age it's "pics or it didn't happen".

Here's one with pics.

Here's one without pics.

Huh, funny that, the REAL voter fraud was only switching votes from Dem to Pub, but the claims of switching votes from Pub to Dem have no such evidence, only spurious claims. My guess it that some fucktard racist white assholes decided to lie and stir up some shit; the alternative explanation is that they were too stupid to press a button.

Re:iOS apps -- can they self-modify?

[swb]

I don't know how much AI they throw at code analysis to ensure compliance with their rules. Are they able to identify or at least flag as suspicious possible interpreters? Having iOS apps with interpreters has been an issue in the past, so it wouldn't surprise me if they could ID them.

Being able to include code you wanted to execute without having it show as code at all (ie, hidden in included images, etc) seems like it would sneak past the censors more easily.

Re:iOS apps -- can they self-modify?

[VisceralLogic]

Huh, funny that, the REAL voter fraud was only switching votes from Dem to Pub, but the claims of switching votes from Pub to Dem have no such evidence, only spurious claims. My guess it that some fucktard racist white assholes decided to lie and stir up some shit; the alternative explanation is that they were too stupid to press a button.

Remember Florida?

Um..

“The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says,”

So it "wreaked havoc" when no one installed it? lolwut?

Re:Um..

Hype? FUD? or, what I think, poor use of words for the summary title....
I see you are new to /. if you didn't notice that.

Re:Um..

[CanHasDIY]

“The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says,”

So it "wreaked havoc" when no one installed it? lolwut?

"No innocent victims" != "no one"

Re:Um..

[Desler]

Actually it really does. Only the researchers installed it before it was pulled.

Re:Um..

[CanHasDIY]

So, then, someone did install it, as opposed to "no one."

Kinda funny how your defense contradicts itself.

Q&A

[tuo42]

When I read this article, it strengthens my opinion that the Q&A process for the App Store is absolutely flawed. Don't get me wrong, regardless of wether you like or hate the walled garden, I actually am of the opinion that the guidelines - especially the UI guidelines - developers have to follow to beeing approved for the app store are a good thing in and itself. The Google Play store has similar guidelines, allthough - IMHO - not as focused on user experience.

I had a apps declined due to improper usage of a certain widget in another certain widget which was not deemed "correct" (switch button in a table footer for example), but always was able to either find a similar solution or - in one rare case (the one mentioned) - explaining WHY that switch button is there, and how if you take a look at the UI, understand what it does.

Then again I saw apps in the store which completely failed most of the even basic guidelines, described as (between the lines): "fail these, and your app will 100% be NOT approved", and I wondered "how did they get in there"?

Talked to other developers, same experience. Some knew they had a few things in there against the guidelines (custom springboards, views not conform with the UI guidelines) and hoped to get through. Sometimes they managed, sometime not, so they also got the feeling that the Q&A for the App store is somewhat like tax declaration. They don't seem to have enough time/ressources to check all, so if you something that is against the guidelines, you have to hope that you are one who doesn't get checked thoroughly.

Re:Q&A

[tuo42]

Help, I need someone repair my brain, fast!

Of course I meant QA! How could that go through my Q&A..... ;)

Re:Q&A

[Princeofcups]

Talked to other developers, same experience. Some knew they had a few things in there against the guidelines (custom springboards, views not conform with the UI guidelines) and hoped to get through. Sometimes they managed, sometime not, so they also got the feeling that the Q&A for the App store is somewhat like tax declaration. They don't seem to have enough time/ressources to check all, so if you something that is against the guidelines, you have to hope that you are one who doesn't get checked thoroughly.

It sounds like someone is rubber stamping apps, and not doing his job.

Re:Q&A

[tuo42]

Then again to them (and I think any business) it might be a difference if some John Doe sends an app which reads "share your life, your secrets, your meals, your pets, where you go, what you think, what you don't think, who you like, who you don't like, what you do etc. with all of your friends, sometimes their friends, people you don't like but have to be friends with to be cool or to prevent beeing fired and of course the NSA and at least five other absolutely professional security agencies around the world for FREE!!!!" than when one of the most influental social networks enters an app that basically reads the same but in less words: "do everything you do on facebook, but while you're away from your computer".

Re:Q&A

[h4rr4r]

Well it is an impossible task, so no surprise there.

I can easily make an app that has a good mode and an evil mode, it decides which by downloading some images from my website. Since the app is used for some image related task you would never notice.

Unless Apple has solved the halting problem and they failed to tell us.

Re:Q&A

Meh. Jekyll's author wasn't too smart either. He did this right before iOS 7 comes out so now Apple can claim "this was already fixed in the new version". Also, I'm pretty sure his developer account will be banned and he'll never get another one.

Re:Q&A

Do you know the difference between "guidelines" and "rules"? I don't think you do, otherwise you wouldn't have used the word "certain".
They are guidelines... general rules of thumb that can be broken if there is a good reason to, but 95% of the time, they should be followed.
Also, the reason for them is to encourage a consistent user experience across apps... How could a 3rd party app be "propriety"?

The guidelines do not address privacy or security.

Re:Q&A

[Bogtha]

I'm an iOS developer, and the approval process can be a real problem for me sometimes, but I still think the App Store is far better with it than without it.

I've seen a lot of clients ask for dumb stuff. Using UI elements in confusing ways. Doing user-abusive stuff. Being generally annoying and self-serving rather than being designed with the user's best interests as a goal.

The great thing about the approval process is that I can tell those clients "Apple won't allow it" and it instantly shuts them up. The alternative would be hours of trying to convince them not to do something horrible, which leaves everybody unhappy no matter what decision is made. And this is the best case scenario, when you've got a developer willing to go to bat for the users. There's plenty of developers out there who will blindly do whatever the client asks, no matter how shitty it makes the UX.

It's not just bad decisions. It's QA as well. Do you have any idea how keen people are to just push stuff live and then fix it after? I don't know about you, but I don't want a dozen updates every morning as developers meddle with their apps trying to get things right. The approval process gives developers the stick necessary to perform proper QA. We don't dare push anything live if there's the possibility of a crasher, because Apple will reject it and we have to wait another week to get reviewed again.

If the approval process wasn't there, then the quality of the apps on the App Store would plummet. You think it's bad with Android, but Android doesn't attract the worst kinds of ambulance chasers. The App Store would be 75% Geocities level quality in no time at all.

What I do disagree with is making the App Store the only way to get applications onto the device. There's really no legitimate reason for not allowing side-loading for people willing to go into settings and agree to a disclaimer.

Re:Q&A

[Threni]

>The Google Play store has similar guidelines, allthough -
> IMHO - not as focused on user experience.

That's why I prefer android - I don't care what Google or anyone else thinks of people's apps. It's none if their business.

Re:Q&A

Exactly! The user experience would be horrible if it was up to most paying clients. Thanks for the excellent post.

Re:Q&A

[Richy_T]

Unless Apple has solved the halting problem and they failed to tell us.

There's an app for that. Wait, why has my screen filled with skulls and crossbones?

Re:Q&A

The alternative would be hours of trying to convince them not to do something horrible, which leaves everybody unhappy no matter what decision is made.

But at least they might learn something that way.

Re:Q&A

[Myopic]

Running a closed app store with a tight approval process is fine. Preventing use of outside apps or app stores is not fine. That's where the line is, and Apple is over the line. They could still have their branded kid-safe no-porn carefully-checked pre-installed app garden, and everyone would trust it and use it and they would make tons of money, but Apple has an ideology of control which means they can't abide alternatives.

Re:Q&A

Running a closed app store with a tight approval process is fine. Preventing use of outside apps or app stores is not fine. That's where the line is, and Apple is over the line. They could still have their branded kid-safe no-porn carefully-checked pre-installed app garden, and everyone would trust it and use it and they would make tons of money, but Apple has an ideology of control which means they can't abide alternatives.

Then don't buy one? If the problem is less software choice, then that really weakens a lock-in argument, so...
My theory is that most people really do not care about the ability to run uncertified software on their phones. s/phones/car,microwave,toaster,tv,games console,tivo,kitchensink, etc.

It's hard to argue with them in the face of all the choice you still retain despite that.

Re:Q&A

[Myopic]

Mmm hmmm, exactly, I didn't buy one. It's a shame because it's nice software running on nice hardware. I'm glad Android is an excellent alternative (equal in my opinion, perhaps superior) or else I'd be left with nothing. That's sort of how I feel about Mac OS: I really don't like the direction its going but there isn't a great alternative. Linux is pretty good but it's not as good as OSX.

Re:Q&A

[antdude]

Question & Answer? :P

Oh SNAP!

"Apple ran the app for only a few seconds, before ultimately approving it."

Most apps only get used for a few seconds anyway

[JoeyRox]

iOS apps are disposable like travel-sized portions of toothpaste.

Truly shocked at this

Would have trusted Steve Jobs to have solved the Halting Problem before he died. Guess he was a mere mortal after all.

Re:Most apps only get used for a few seconds anywa

[Provocateur]

oh, you mean like my single-serving friends that I meet in my travels

Re:Most apps only get used for a few seconds anywa

[tuo42]

Wanna buy some soap?

I call bullshit on "unaware" claims

[SuperKendall]

I can totally see getting an app through the submission process that does something a bit sneaky. Sometimes the app reviewers hardly look at a thing (though sometimes they look very carefully, it just depends on the reviewer).

But the claim the app could "wreak havoc" needs some proof. They said:

a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps â" all without the users knowledge

Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet. Same thing for email/SMS. Taking photos requires an OK from the user to access the camera. You cannot "attack other apps" because of the sandbox.

Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented. I would bet they are saying they THEORETICALLY could break out of the sandbox but have absolutely no actual working exploits that go outside of existing user permissions and the sandbox...

Re:I call bullshit on "unaware" claims

[h4rr4r]

You can't attack other apps?
So how does jailbreaking work?

If you can jailbreak, you can use that to attack other apps or do any of those other wonderful things.

Sure you would need to use a jailbreak after being installed, but chaining together attacks is a well known thing to do.

Re:I call bullshit on "unaware" claims

Head, meet sand. Enjoy your stay.

Re:I call bullshit on "unaware" claims

In the full paper they describe how they can do these actions without user consent, by calling the private APIs available.

Re:I call bullshit on "unaware" claims

[Bogtha]

Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet.

Read the paper - they watched the interaction in a debugger to find the right messages to send to the right private classes in order to bypass this.

This only worked with iOS 5 - last year Apple moved sheets like these into external processes and used a proxy view controller to show them in applications instead of embedding the functionality directly, so attacks like this aren't possible any more where this technique has been used.

I agree that this is somewhat sensationalised, but they were able to do this without the normal user approval in the 4% or so of people still running a two year old version of iOS.

Re:I call bullshit on "unaware" claims

Mod this up. This is correct. Their 'attacks' won't even work in the iOS that 95% of iOS devices, and surely those that are actively purchasing stuff.

Re:I call bullshit on "unaware" claims

[Minwee]

Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet. Same thing for email/SMS. Taking photos requires an OK from the user to access the camera. You cannot "attack other apps" because of the sandbox.

Good point. I guess that this never happened because of the tight limits put on app capabilities.

Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented. I would bet they are saying they THEORETICALLY could break out of the sandbox but have absolutely no actual working exploits that go outside of existing user permissions and the sandbox...

Ah, the old "That vulnerability is completely theoretical" defense. It worked so well for Microsoft in 1992, and it's still working for Apple today.

Re:I call bullshit on "unaware" claims

[Zalbik]

Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented.

No, they do not. Their claims require more proof than the reporter presented in the article.

The researchers wrote a fairly in-depth paper on the attack which can be read here

In the case of tweets, they make use of "private API's" to avoid notifying the user:

the public API called by the app will present a tweet view to the user, and let the user decide whether to post it or not, as shown in Figure 9. However, we find that the tweet view in Figure 9 can be bypassed by using private APIs, i.e., ourapp can post tweets without the user’s knowledge. Next,we describe how we discover the private APIs needed for achieving this goal

Their POC app apparently performs the exact malicious tasks they indicate all without user notification.

Re:I call bullshit on "unaware" claims

That doesn't matter! This isn't Android we're talking about.

Re:I call bullshit on "unaware" claims

[Zalbik]

This only worked with iOS 5

Some items only worked in iOS 5.

Based on Table 1 from their paper here, the following items could be accomplished by their app on iOS 6:
- posting tweets
- using the camera
- dialing
- using bluetooth
- crashing safari
- stealing device

It was only sending SMS messages, sending email, and rebooting the system that were limited to iOS 5.

Re:I call bullshit on "unaware" claims

Jailbreaking, to date, works in one of two ways:

• By exploiting a bug in the firmware, using a computer or other device to talk to it over USB.
• By exploiting a bug in an app that runs as a privileged (unsandboxed) user, e.g. Safari.

I'm pretty sure that the first of these is not possible from an app, sandboxed or otherwise, but if it were possible, it would presumably require touching low-level APIs that would get flagged by even the most basic use of nm against the app binary.

The second of these might be possible from a sandboxed app if the app causes Safari to open something, but putting a link to properly crafted attack content on a popular website would yield the same result and would not require you to craft a malicious app on the store, making this a completely implausible attack vector.

Sure, this could conceivably be used to create a botnet for spamming, but that's probably about it. And if you did that, users would complain about their data charges, and the app would get yanked and disabled.

Re:I call bullshit on "unaware" claims

[Pubstar]

Where are my mod points when I need them. I figured that here on /. that people would me modding up things that prove that ap

Re:I call bullshit on "unaware" claims

[Pubstar]

GG /. on eating half my comment.

Re:I call bullshit on "unaware" claims

Oh really? So how about those millions upon millions of IPhone 3 / 3G and IPad 1?

Not everyone in this world is a wealthy American that would throw away a perfectly fine three year old phone or tablet, just because the manufacturer decided not to offer security updates any more.

If Microsoft behaved the way Apple does wrt. updates, slashdot (and everyone else) would be outraged!

Re:I call bullshit on "unaware" claims

[maccodemonkey]

Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet.

This example isn't correct. Apps can get access to the social framework, which allows them to do things directly to the Twitter web API, which as far as I know, includes posting Tweets. This is used for apps that want to have their own custom UIs but also have access to the user's Twitter data (for example, Twitter clients.)

Now, you are right in that this would spawn a dialog that requires user authorization. Trying to access the user's Twitter account token will cause the system to ask the user's permission, and it will tell the user you are allowing the app to post to your Twitter account. So the app can't just start posting things quietly.

But this isn't really that amazing in that any app on iOS that asks for your Twitter permissions could do things with them. So more of a reminder that yes, you should be careful what apps get permissions to your social network accounts.

Re:I call bullshit on "unaware" claims

[Wovel]

It's also a reminder that slashdot headlines have reached new levels of absurdity.

Re:I call bullshit on "unaware" claims

[Wovel]

I don't see them actually claim that anywhere and their paper is not out yet.

Re:I call bullshit on "unaware" claims

[Wovel]

Are you certain users did not give the app permission to use their twitter account? Nowhere in the article on the dictionary app does it claim they broke out of the sandbox and took control of people's twitter accounts.

You seem to have a tendency to use completely unrelated links to try and bolster a pretty weak position. Your l0pht link is equally puzzling.

Re:I call bullshit on "unaware" claims

[Wovel]

In fact, from the article you linked:
" A notification appeared locally on the device and if the user had authorized the app to access their Twitter account, a tweet of the notification was sent out under their account with a hash tag #softwarepiracyconfession"

See the if part of the statement? Maybe it would help to read what you link? Maybe a little?

Re:I call bullshit on "unaware" claims

[Wovel]

But they never discuss if the app had to be given permissions. Sure they say they did it all secretly and hidden using private apis, but they never indicate they did not give the app permissions when it was run.

Hard to believe this paper has been peer reviewed.

Re:I call bullshit on "unaware" claims

[DavidRawling]

I don't see them actually claim that anywhere and their paper is not out yet.

The GP included a direct link to the paper, and you blindly state that it's not out!? I know it's fashionable to comment fast and defend the almighty Apple, but you might try more reading comprehension first.

The quote from the paper is on page 566 (remember this paper forms part of a greater work, and therefore the page numbers are a little strange) just above Figure 9. (I do note that the quote above is missing a space between "our" and "app", but that's no excuse for not finding it).

Re:I call bullshit on "unaware" claims

[Minwee]

I can only assume that you hadn't heard of L0pht Heavy Industries before. That shouldn't surprise me as much as it does, since they're older than the App Store and probably had shut down before some of this site's readers were even born, but if you have any interest in computer security and the way that things got to be the way they are then you may want to do a little reading on the subject.

Their slogan, cited at the very top of the linked page, is "Making the theoretical practical since 1992" which is a direct response to the "purely theoretical" defense. Since you like topical links, here's a column written by former L0pht member Weld Pond in which he describes the origin of that phrase:

"A decade and a half ago, an early hacking group known as L0pht Heavy Industries, of which I was a member, posted a quote from Microsoft — "That vulnerability is entirely theoretical." — to prove the point. The saying came about due to an email exchange in which the L0pht was reporting to Microsoft one of the first buffer overflows discovered in their software. (I later found out that Microsoft, internally, called such bugs a "L0pht-type" vulnerability.) They couldn’t imagine how someone could write an attack tool to take advantage of a stack overflow. No attack tool, to Microsoft, meant exploitation was entirely theoretical."

Not surprisingly an attack tool was quickly released, the theoretical was recognized as being practical, and the problem was eventually fixed. The lesson in not dismissing things as impossible just because you don't understand them is still one which needs to be learned.

Re:I call bullshit on "unaware" claims

[Minwee]

Maybe it would help to read what you link? Maybe a little?

I did read it and many others like it, but there's a lot more to the story than can be gleaned by a cursory scan of just that one article. There's more in that paragraph that you didn't quote, and it's significant:

According to an apology letter Enfour wrote to customers, the anti-piracy module worked like this: "Upon waking, a dialog box showed 'Run in Safe Mode,' then the app disabled itself and performed an auto soft close. A notification appeared locally on the device and if the user had authorized the app to access their Twitter account, a tweet of the notification was sent out under their account with a hash tag #softwarepiracyconfession. This tweet only happened if the user tapped a send confirmation button."

You're not quoting the article directly, you're quoting the weasely 'apology' letter put out by EnFour itself, after their colossal screw-up had already become public knowledge. It's all about damage control. People who used the app describe it differently:

I sat down to grade papers for an English class, and loaded up the dictionary app I’ve been using for ages to check a word. I got asked for access to my Twitter account, declined, and was thrown out of the app. Again and again. OK, I thought, apparently some update means the app now requires access – nothing new, apps need location access to access photos, and I don’t plan on sharing any words on Twitter anyways, so why not. I checked my word, went back to grading.

A few minutes later, I get a Twitter notification email about someone replying to my tweet.

So here we have a $50 app which, as purchased, did not require any kind of social media access. After buying and downloading it an update changed that behaviour and effectively disabled the entire application until the user gave in and pushed the "Yes, you may access that" button. Enfour's self-serving "if the user had authorized the app" statement just happened to leave out that the user had the choice of either authorizing it or never using it again.

You could argue that the weakest link here was the human user, who ultimately gave the app access, but the problem of apps requiring seemingly unneeded permissions is nothing new. From the same article:

"I gave the app permission to access my Twitter account because being asked for weird permissions is nothing new, especially when 2/3 of your devices run Android. Android apps need internet access for license checks and displaying ads, they need camera access to use the LED, launchers need access to contacts because they include a feature to add direct call shortcuts to the home screen, and so on. This is a $50 app that I’ve owned and used for two years. I had absolutely no reason to expect that it had malicious intents. If I stopped allowing apps access to features like that because I didn’t immediately see the reason, I wouldn’t have many apps left. A free wallpaper app that was released two days ago on Google Play and has 500 negative reviews? Sure, it’s bad. A two-year-old $50 app that has gone through the Apple approval process dozens of times over those years? You wouldn’t think so."

You don't need technical wizardry and secret back doors when the front door is so difficult to use that most users just prop it open with a stick. The problem with the Enfour dictionary apps wasn't one that could be solved by requiring apps to have specific permissions. The problem was that the permissions system was broken and being used in a completely unexpected way by an otherwise trusted application. An otherwise

Bravo

[hesaigo999ca]

Well done, by jove I think you've got something, my dear watson!

The value isn't in review, it's in revocation.

[Above]

No review process will ever catch all bad actors. I think Apple should be doing a better job with reviews in several dimensions, but that's not the prime advantage to the Apple ecosystem.

The main advantage is Apple can revoke the application. If this app started doing bad things Apple can remotely prevent it from running, and in fact revoke all apps by the same developer. This central control is what scares people, but it's also what makes long term exploitation impossible. The Google ecosystem doesn't have this feature, with no centralized control.

Re:The value isn't in review, it's in revocation.

[berj]

No review process will ever catch all bad actors. I think Apple should be doing a better job with reviews in several dimensions, but that's not the prime advantage to the Apple ecosystem.

The main advantage is Apple can revoke the application. If this app started doing bad things Apple can remotely prevent it from running, and in fact revoke all apps by the same developer. This central control is what scares people, but it's also what makes long term exploitation impossible. The Google ecosystem doesn't have this feature, with no centralized control.

I'm pretty sure (though not 100%) that this isn't true.

I've downloaded many apps that have since been pulled from the app store (some MAME apps and some tethering apps). They all still run. Apple can pull apps from the store so that they can't be downloaded again but once you've got them on your device they can't do anything.

Re:The value isn't in review, it's in revocation.

Apple *does* have a kill switch that they can use to remotely remove/disable apps, but AFAIK they've never used it.

Pulling an app from the store isn't the same as firing the kill switch. As you said, pulling an app from the store just entails removing it from their servers so it can no longer be downloaded. The kill switch would actually remove the app from user's devices or prevent it from running.

Re:The value isn't in review, it's in revocation.

There is a blacklist feature as well, used extremely sparingly, which can prevent already-downloaded apps from running at all.

Re:The value isn't in review, it's in revocation.

[Richy_T]

Apple can pull apps from the store so that they can't be downloaded again but once you've got them on your device they can't do anything.

I wouldn't put money on that. There just haven't been any transgressions worth the Amazon "1984" outrage, more likely.

Re:The value isn't in review, it's in revocation.

[powerlinekid]

-1, wrong.

Yes Google does have the ability. If I get an app from the Play Store and it is removed by Google, they have the ability to remove it from my phone. Its happened a couple times with emulators. Now if I decide to circumvent the Play Store that is a different story.

However, that is what Android gives... choice. With the App Store you don't have that choice; you only use what Apple lets you use. If you want to be a moron and run any old app, you can't.

Re:The value isn't in review, it's in revocation.

There is a difference between removing an application from the store because it goes against the terms and removing an application because it is malware. Apple is certainly able to make this distinction.

Google is able to remove applications remotely, they did so in the past, google it up.

Re:The value isn't in review, it's in revocation.

[Above]

There are plenty of articles on the remote kill switch, here's one of the first: Steve Jobs confirms iPhone application "kill switch"

Re:The value isn't in review, it's in revocation.

[Above]

For the narrow case where you have a unmodified Android phone and only get your applications from the Google Play Store, you are right, Google has the same capability.

But honestly, what percentage of Android users does that cover? 1%? 0.1%? Plenty of people use the Amazon app store, which I believe does not have the same capability on Android. What about apps from the Verizon App store, which many Verizon branded phones directed people to automatically for a while?

And of course there's always a side loaded app on Android. On IOS you can't side load, on most Android you can.

Look, I'm not saying IOS is better than Android in this case, just that Apple has iron clad single point of control for _ALL_ applications, while Google does not. There are some pros, and some cons to that. Consumers can choose which model they like btter.

Re:The value isn't in review, it's in revocation.

For the narrow case where you have a unmodified Android phone and only get your applications from the Google Play Store, you are right, Google has the same capability.

But honestly, what percentage of Android users does that cover? 1%? 0.1%? Plenty of people use the Amazon app store, which I believe does not have the same capability on Android. What about apps from the Verizon App store, which many Verizon branded phones directed people to automatically for a while?

And of course there's always a side loaded app on Android. On IOS you can't side load, on most Android you can.

Look, I'm not saying IOS is better than Android in this case, just that Apple has iron clad single point of control for _ALL_ applications, while Google does not. There are some pros, and some cons to that. Consumers can choose which model they like btter.

Are you actually serious? You actually believe that people with unmodified Android phones who get their apps from the Google Play store is a narrow case? That is one of the most daft things I've read all week. The majority of Android phones are 'unmodified' and the majority also download their apps from Google Play. Did you really think Google Play surpassed 50 Billion downloads courtesy of modified Android phones LOL. One more thing, Amazon or the other Android app stores aren't even in the same stratosphere.

Monitored?

[wiredlogic]

What kind of two-bit operation is Apple running if apps can phone home during the vetting process.

Re:Monitored?

Huh? What about apps that are meant to phone home?

Re:Monitored?

[omnichad]

load external content = phone home.

There are a lot of apps whose purpose is to present external data in a useful way. That's only marginally different than phoning home - you still want to proxy the data through your own domain for compatibility changes with the data provider if it's not your own data.

Re:Monitored?

[Assmasher]

I have one that logs into my company's server to retrieve configuration information (and has a special 'Apple' account that the Apple testers use to validate the app.)

I can see them testing releases in real-time on the server monitoring dashboard - "Oh, look, Apple just ran the app..."

Many business applications require this type of functionality when being tested by the App store (as mine does.)

Re:Monitored?

[Wrath0fb0b]

The kind that can review apps like Facebook, Twitter or Blah-With-Friends that are not meaningful except in conjunction with a web service.

Re:Most apps only get used for a few seconds anywa

....compared to Android apps? Usage figures seem to say otherwise.

How is this "academic" work?

What is the "academic" value of showing that one company has flawed processes? I'm not criticizing the findings themselves nor the methodoloy per se, but I just question that it's being done in the name of "academic" research when it is anything but (though I'm sure there will be attempts to divine some sort of generality from the results). The generality would have legitimately, in the academic world, come from a paper that might describe theoretically how such an attack could happen.

Don't get me wrong, I'm not saying that the work wasnt good.. I'm just saying that it's misplaced, to the extent that these guys deserve a serious review of their work. It's like "academics" doing research that's really market research ... and so not really appropriate.

TARGETS

[war4peace]

Sadly, it's a matter of expenses stripped to the bone. The "testers" have targets to fill. Here, you have 1000 apps to test and 3 days to do it. You miss this target twice, you get fired.

It's a method I've seen (generally) pretty much everywhere. UAT or internal testing is considered "money sink" and its attached expenses are minimized by all means.
I would frankly have been surprised if the testing method were to be any different.

Re:TARGETS

[Pieroxy]

Did you expect Apple to decompile everyone of those apps and pay an engineer 100k/year to read out decompiled code?

Re:TARGETS

[war4peace]

No, I didn't. If you would have read my post carefully, you would have realized that.
Apparently other people did expect it, though.

IOS : Miami

When it came to concealing its true nature from Apple, I guess you could say Jekyll found it easy to...

(puts on sunglasses)
 
...Hyde.

YEEEEAAAAAAAAAAAHHHHHHHH!!!!!

Re:IOS : Miami

[Richy_T]

I think RLS already beat you to that pun.

Jailbreaking works by attacking update mechanism

[SuperKendall]

You can't attack other apps?
So how does jailbreaking work?

Jailbreaking works by attacking the device over USB, generally the update mechanism - not something you can do through an app.

Re:Jailbreaking works by attacking update mechanis

[h4rr4r]

Only the most recent one.
There was a time you could jailbreak via pdf or just visiting a webpage. It is quite possible another such exploit will be found in the future.

Aha

[SuperKendall]

I looked for the paper but could not find the link. Thanks for the extra info.

As I thought, they did not break the sandbox at all. Attacks that don't work in iOS6 are irrelevant at this point...

It's totally sensationalized. It remains true there's no way a real app can "wreak havoc" even if you inject code later.

Re:Aha

[AmiMoJo]

That's a naive view. Getting users to grant permission for just about anything is pretty easy. Everyone knows this and it works on all platforms.

Re:Aha

[amicusNYCL]

It remains true there's no way a real app can "wreak havoc" even if you inject code later.

Maybe they would use one of those exploits from a jailbreak developer that Apple hired to add exploits into iOS.

Re:Aha

Hubris, Im not sure why you assume everyone has a new apple device with the latest software.

Which is not breaking the sandbox

[SuperKendall]

Private API calls are not breaking the sandbox.

Pretty much none of what they did that they consider an attack is possible in IOS 6., much less iOS7 which is on the eve of release - and some 95% of active devices are running iOS6 now.

I can break into Windos95 pretty easy too. But who cares and why would it warrant an article? The whole paper really boils down to "sometimes the app reviewers do not run an app for long" which is news to pretty much no-one.

Re: Which is not breaking the sandbox

Apple vigorously kills their legacy iOS devices. I own three iPod touches. None of them can run OS 6. One is slightly more than a year old. They also push app developers to code to the latest api, to further promote obsolescence.

Re: Which is not breaking the sandbox

The ipod touch 4th generation came out in 2011 and supports iOS 6. So you're full of shit.

That didn't work in an app

[SuperKendall]

There was a time you could jailbreak via pdf or just visiting a webpage.

The only reason THAT worked is because the Safari javascript engine has native code JIT that an app cannot use. And now you know why...

So still true that you cannot jailbreak out of an arbitrary app, only ever from system apps that have elevated privileges, and then only once years ago...

Im not saying such an attack will never exist, it's just exceedingly unlikely and far more unlikely inside of an app you deploy to the store.

Re:That didn't work in an app

[h4rr4r]

Either way security problems will exist and pretending that their app auditing is anything more than a justification for a walled garden is simply burying your head in the sand.

Re:That didn't work in an app

[Bogtha]

Either way security problems will exist and pretending that their app auditing is anything more than a justification for a walled garden is simply burying your head in the sand.

The walled garden is probably one reason for the approval process, but it's certainly not the only one. Apple seem genuinely motivated to use it to raise the quality of the end-user experience.

Here's one example: a few years ago, developers were complaining that Apple was rejecting their apps for having an icon of a phone in their app. It didn't make sense - why would Apple object to that? It wasn't an icon depicting a competing phone. It wasn't infringing on their trademarks or copyrights. People couldn't figure it out.

Then, a short while after, the iPad was released, which could run iPhone apps too. Suddenly, that restriction made sense. Apple wanted the designs to make sense for people using iPads as well. Is it a bit of a control-freak thing to do? Sure. But there's no reason to do stuff like that unless it's to improve the end-user experience.

Here's another example: Using undocumented APIs. A lot of people point to this as evidence that Apple are hobbling apps, artificially limiting their functionality. But any developer will tell you that people using non-public APIs is a nightmare for forwards compatibility. As soon as there's applications in the wild using an API, you'll have to make the choice between supporting it, unchanged, for eternity, or breaking things for users. Ask Microsoft- they've still got a tonne of backwards compatibility code in Windows because sometime in the early 90s, applications rooted out private APIs and depended on them to function.

How about another example: I've had an application rejected for giving a misleading error message. If somebody was trying to log in and their Internet connection wasn't up, it told them their username and password was wrong instead of telling them to check their connection. A dumb bug, but one that could confuse end users.

It doesn't really make sense for Apple to invest in this approval process, and piss off developers, and slow the whole thing down to a crawl if this is just a pretext for having a walled garden. Apple aren't shy about being control freaks. If it was just about being a walled garden, they'd say so, they are shameless about it.

Sometimes the simplest explanation is the right one - Apple have an approval process that rejects applications on quality and UX grounds because they want to ensure the quality of applications on the App Store. They might also have other motivations as well, but there's no reason to believe that that one is anything other than genuine.

Re:That didn't work in an app

[h4rr4r]

Then why not allow outside markets and advertise theirs as the premium one?

The simplest answer is, they want their 30%.

Re:That didn't work in an app

[Bogtha]

Then why not allow outside markets and advertise theirs as the premium one?

I'm responding to what you said here:

Either way security problems will exist and pretending that their app auditing is anything more than a justification for a walled garden is simply burying your head in the sand.

You were arguing that the promotion of a walled garden was the sole purpose for the approval process for the App Store. That's a silly thing to say, and I explained why. You've now changed your argument to something else - that Apple are enforcing the App Store as the sole source of applications to build a walled garden. That's a different argument entirely, and doesn't make what you said earlier any less silly.

Re:That didn't work in an app

[h4rr4r]

No that is the same argument.
Why would they want a walled garden for its own sake?

Perfect for the NSA

They can convince companies to add spyware to their apps and then turn it on at a later day. In fact maybe 100k of the shit apps out there were actually created by the NSA all with different accounts so when one account is deleted they still have others to use,

Havoc???

Where did it wreck havoc? I would be more worried about the malware rise in the Android App Store copy instead!

Corrections

[SuperKendall]

Good point. I guess that this never happened

Not in iOS6 it didn't. Apple started taking user security much more seriously in iOS6, anticipating a potential for such attacks. I always thought prior to that it was kind of nuts you could access the address book without permission - now you cannot.

Ah, the old "That vulnerability is completely theoretical" defense.

And yet it turns out to be true. The vulnerability is not real, only a theoretical possibility that relies on breaking the sandbox, which they have not done (using private API calls is not breaking out of the sandbox). You don't need to do anything sneaky in an app to do private API calls, but it remains true the sandbox is pretty secure and stops most REAL attacks.

You are crazy if you are more worried about a possible attack via an unknown hole in the sandbox, vs. very real attacks that are happening every day on Android...

As usual: Headline completely made up

[gnasher719]

1. The only people downloading the app were the developers. No "havoc" happened.

2. The app is sandboxed. It doesn't escape out of its sandbox. Therefore, it can only do things that it is allowed to do.

3. The identity of the developers was known to Apple. If malware was delivered to end users, Apple could get hold of the developer.

4. To actually attack an end user, you still have to create an app that does what it claims it does, and that does things interesting enough to make people download it.

5. If an app did "wreak havoc", then Apple could kill it dead on all iOS devices.

Re:As usual: Headline completely made up

2. The app is sandboxed. It doesn't escape out of its sandbox. Therefore, it can only do things that it is allowed to do.

You obviously missed the part where they discussed using private API calls to work around the Sandbox, to do things for which it wasn't granted permissions.

its looks like this malware...

[demoncleaner925]

made the app store....rotten to the core! LOL

Re:its looks like this malware...

[Dogtanian]

made the app store....rotten to the core! LOL

You're entitled to a free pair of sunglasses and a "YEEEEEAAAAAAAHHHHHH!!!!!" for every pun like that you make.

Re:its looks like this malware...

[demoncleaner925]

i dont need a new pair of sunglasses, but thanks for the offer. Also thanks for the sarcastic response. The truth is i had nothing to add to the conversation so i decided to go for an obvious pun, to be honest. I like making puns and please stay tuned for the next one, you better respond when i do.

Try it with an app that is eBook related

I just best if they tried this tactic with and app that made reference to it being able to view eBooks that it would get more than a few seconds look over by apple.

As an iOS developer...

As an iOS developer, I already discovered this a few months ago. I released an app to the store a few months ago that used Kiip for rewards. Kiip allows me to see who is using the app.

I was surprised when Kiip announced they only used my app for approximately 5 seconds. Since my app was a game in itself, that was about the time it would have taken for the game to launch.

I chalked it up to a mistake on Kiip's part... However, when it finally hit the store I installed it and was shocked to discover my game crashed after doing one of the most fundamental actions in the game. It crashed right on queue, every time.

There is no way Apple actually tested my game or they would have seen the crash and rejected my app (i wish they had. would have been better for me). Kiip was right.

So, I ended up fixing it and submitting an expedited review request that eventually fixed it a few days later.

Apple does NOT test apps before approval or only does for a very small sample of apps. I never thought of making malware of the situation though.

No Havoc

[nifkin]

From all I have read in the thread, the app was available for only a few minutes and could only attack an outdated (4% of users) version of iOS and still could not break out of the sandbox. Havoc is way overstating what happened. I agree with "headline completely made up".

Android Bouncer

Similar trick for Android from a year ago:

https://blog.duosecurity.com/2012/06/dissecting-androids-bouncer/

Wreaks Havoc?

[Wovel]

Just gonna lie in the headlines now? Come on...

Wrong, some of those do not work in iOS6 (or 7)

[SuperKendall]

Posting tweets, I know for a fact is the same as SMS and Email in that it's a sheet operated by the system, you can't touch it from the app.

The worst possible thing I thought, would be if it could actually dial out without the user giving permission. So I embedded the code they gave in the paper in a sample app, with the CoreTelephony framework (and a number of other frameworks/libraries for good measure) added:

      void* h = dlopen("CoreTelephony", 1);
      void (*CTCallDial)(NSString*)=dlsym(h, "CTCallDial");
        CTCallDial(@"A Valid Phone Number here");

Segfault, no dialing. So THAT does't work either.

I didn't test some of the other things but I really wonder how much they ACTUALLY tested on iOS6. What a shame that it's so easy to fool so many people like yourself just by throwing around terms like "private API" and some semi-plausable looking code...

I'm sure some of it would still work on iSO6, but it seems none of the really dangerous ones does. So my stance is still that they didn't really break out of the sandbox, they are just building some nice looking castles and pretending they are real.

Is it TOO MUCH TO ASK that some independent verification take place on fantastic claims like these?

Almost none

[SuperKendall]

Oh really? So how about those millions upon millions of IPhone 3 / 3G and IPad 1?

Very few, in any kind of access logs or app statistics from analytic libraries those devices fall way below 1% of devices.

Not everyone in this world is a wealthy American that would throw away a perfectly fine three year old phone or tablet

I didn't throw mine out. It just has more limited use than the newer devices. No way would I buy new apps to run on it, it just runs some apps that I bought for it a while ago, or works for browsing (or a photo frame).

If Microsoft behaved the way Apple does wrt. updates

Which they do - didn't you know?

Wrong, still no proof of many things

[SuperKendall]

The researchers wrote a fairly in-depth paper on the attack which can be read here..In the case of tweets, they make use of "private API's" to avoid notifying the user:.

Which does not work in iOS6, as mentioned by the article itself (it notes that attack only works in iOS5)

I attempted to get the dialing code as presenting working in iOS6. It segfaulted (and yes I did include the CoreTelephony framework, and used the -all_load linker flag). Since that's a bust how much other stuff in the paper does not work as claimed either?

Their POC app apparently performs the exact malicious tasks they indicate all without user notification.

They CLAIM it does, this is what requires proof. The paper is just providing some means how it might be done, not showing that it works.

Real proof would be a buildable, runnable project that did all of the things they claim. Since they are already providing source code in the paper why would they mind releasing a project... well where is it?

Not dialing

[SuperKendall]

Getting users to grant permission for just about anything is pretty easy.

Not dialing. If the user is presented with a dialog in the middle of an app run asking to dial some number they have no idea about, very few people will agree to that... context is very important.

Similarly just running some to-do list app and out of the blue it asks to use the camera? Not that many people would agree to do so, even those who are pretty naive.

Checking APIs

I do think that Apple checks automated for any non approved API calls or other methods of adressing functions outside of the 'standard' environment. I know of apps being rejected because of doing lower level calls.

I'm ALL about that (by doing the reverse)... apk

There's apps that prevent access to harmful data http://tech.slashdot.org/comments.pl?sid=4072127&cid=44581987 in a useful way that gains speed (as you admitted), added "layered-security"/"defense-in-depth", better reliability, superior anonymity, & just better overall as well (by yours truly).

* :)

(All of which you pulled a "Run, Forrest: RUN!!!" from in that link above too, no less... lol! "Gee, wonder why?" (NOT!!!)).

Everything's a dichotomy - I prove the usefulness of it @ times... speed gains that are incredible (by reduction of dead-weight useless more than potentially harmful data) - which you conceded but radically underestimated as well, but more security, reliability, & even anonymity added.

APK

P.S.=> Yes folks, I have to tell you: "It's not easy being 'world-class'" having to dispatch trolls as I did to omnichad using facts (does them in, every time) - pats self on shoulder!

... apk

Everything old is new again

App stores are going to continually up their level of interrogation to stay ahead of malware. In a similar way that PC users are still fighting malware, mobile platforms also have to make certain assumptions to detect malware-laden apps before they get to a consumer. While still an uphill battle, the control that Apple and Google have over the actual app stores (to varying degrees, of course) allows for a fighting chance, at least. There's a minimum set of hurdles that an attacker has to jump over in order to have an app pass through their direct stores. This research has some commonalities to the work Jon Oberheide and Charlie Miller did last year regarding Android's Bouncer (https://blog.duosecurity.com/2012/06/dissecting-androids-bouncer/). In that research they determined how Google was flagging a "bad app" and were able to circumvent that process by hiding the malware functionality when tested by Bouncer but not on a real device that would actually matter to an attacker. Overall, both pieces of research have huge implications for strengthening the security programs at Google and Apple.

Impossible to prevent all outward contact

Because of Apple's desire to allow in-app financial transactions, apps are allowed to reach out to a certain extent. If Apple closes things down all the way, so that this can never happen, the usefulness of the platform will suffer. I am interested in whether these students actually had credentials as researchers, or whether they were just a few hackers looking to generate some street cred by talking down the review process. I don't like the way Apple is doing things, but I think everyone involved in this "research" should have their developer credentials suspended. They definitely violated their developer agreement. For all we know these people are on Microsoft's payroll. I call bullshit on the entire situation.