Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Jekyll" Test Attack Sneaks Through Apple App Store, Wreaks Havoc

Posted by samzenpus on from the wolf-in-sheep's-clothing dept.

An anonymous reader writes "A malware test app sneaked through Apple's review process disguised as a harmless app, and then re-assembled itself into an aggressive attacker even while running inside the iOS 'sandbox' designed to isolate apps and data from each other. The app, dubbed Jekyll, was helped by Apple's review process. The malware designers, a research team from Georgia Institute of Technology's Information Security Center, were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn't anywhere near long enough to discover Jekyll's deceitful nature."

26 of 206 comments (clear)

  1. Apple review process = a few seconds? by Anonymous Coward · · Score: 5, Insightful

    There is no point to the closed system if you let just anyone come in.

    1. Re:Apple review process = a few seconds? by Anonymous Coward · · Score: 5, Insightful

      There is no point to the closed system if you let just anyone come in.

      Of course there is, silly! It's called "style". More specifically, "illusion of security", which is a style. Apple's big on that sort of thing, you know.

    2. Re:Apple review process = a few seconds? by Anonymous Coward · · Score: 4, Insightful

      I found it shocking that they ran it for only a few seconds. I would have expected them to have at least run through all screens/features of the app to ensure that it does what it claims to do. This is a classic case of prioritising volume instead of quality.

    3. Re:Apple review process = a few seconds? by Anonymous Coward · · Score: 5, Insightful

      Not true. A closed system can be used to ban competitors whose work you plan to steal.

    4. Re:Apple review process = a few seconds? by stewsters · · Score: 4, Insightful

      I know some people who were working on an MMO, and during the testing phase someone created an account, logged into the server, walked about 10 feed, opened an escape menu and left, and they were approved. I assume they have some sort of automated scans too, but it doesn't seem like the walled garden provides much security, only an additional chance to charge people.

    5. Re:Apple review process = a few seconds? by Sarten-X · · Score: 5, Insightful

      Checklist for approval:

      • Does the app crash on our profiler?
      • Does the app look like it does something useful?
      • Will users feel like they've been lied to by the App Store listing?

      Note that Apple's motivation is not to ensure that only quality apps get into the store. Rather, they just want to make sure that the store itself isn't tarnished. If 30% of your downloaded apps are just shells around scam-laden videos, you'll stop using the store, so they just test each app long enough to make sure that it kinda-sorta does what's claimed. Any problems after that are going to be blamed on the developer, not Apple.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    6. Re:Apple review process = a few seconds? by PIBM · · Score: 5, Interesting

      I've had a game published which wasn't even started, or approved while only displaying 'an internet connection is required to proceed'. It's hard to be checked out less than this..

    7. Re:Apple review process = a few seconds? by h4rr4r · · Score: 4, Insightful

      Not from any apps sold via the Amazon Appstore for Android.

      The entire point of Apple's closed system is that they are the only publisher of software for the platform. This means they get a cut of sales no matter what.

    8. Re:Apple review process = a few seconds? by Anonymous Coward · · Score: 5, Insightful

      Without knowing much about the setup, I'm kind of doubtful that they can have a high level of confidence that it really ran for a few seconds. If I were testing apps like this, I'd run a good bit of my testing on a disposable VM with a faked network. That way it couldn't send connections out and any self-modification it did while in the test harness would be ignored, so nobody but me would have any way of knowing what went on in the harness

    9. Re:Apple review process = a few seconds? by gl4ss · · Score: 5, Informative

      you can go without a middleman for android apps.. all android devices allow you to install apk's.

      now that is a large difference to iOS or windows phone.

      if you don't see the difference then you're a fucking moron, the other os allows you to point to a file on any fucking webserver and the other doesn't. the other platform allows you to install anything without the device(or os) manufacturer greenlighting the app while the other censors whatever the fuck it wants that week to censor.

      --
      world was created 5 seconds before this post as it is.
    10. Re:Apple review process = a few seconds? by Pieroxy · · Score: 4, Insightful

      Without knowing much about the setup, I'm kind of doubtful that they can have a high level of confidence that it really ran for a few seconds. If I were testing apps like this, I'd run a good bit of my testing on a disposable VM with a faked network. That way it couldn't send connections out and any self-modification it did while in the test harness would be ignored, so nobody but me would have any way of knowing what went on in the harness

      In other words, you would reject any app relying on a webservice somewhere on the internet. Good policy I guess. Nobody needs Instagram, Facebook of Twitter apps.

      --
      Write boring code, not shiny code!
  2. Wreak Havoc seems a bit overblown by glennrrr · · Score: 5, Insightful

    Since it was just a proof of concept and was on the store for a few moments.

  3. Re:BUT MACS DON'T GET ... by Immerman · · Score: 5, Insightful

    Why waste your time with viruses when people will pay to run your Trojan?

    --
    --- Most topics have many sides worth arguing, allow me to take one opposite you.
  4. Q&A by tuo42 · · Score: 5, Interesting

    When I read this article, it strengthens my opinion that the Q&A process for the App Store is absolutely flawed. Don't get me wrong, regardless of wether you like or hate the walled garden, I actually am of the opinion that the guidelines - especially the UI guidelines - developers have to follow to beeing approved for the app store are a good thing in and itself. The Google Play store has similar guidelines, allthough - IMHO - not as focused on user experience.

    I had a apps declined due to improper usage of a certain widget in another certain widget which was not deemed "correct" (switch button in a table footer for example), but always was able to either find a similar solution or - in one rare case (the one mentioned) - explaining WHY that switch button is there, and how if you take a look at the UI, understand what it does.

    Then again I saw apps in the store which completely failed most of the even basic guidelines, described as (between the lines): "fail these, and your app will 100% be NOT approved", and I wondered "how did they get in there"?

    Talked to other developers, same experience. Some knew they had a few things in there against the guidelines (custom springboards, views not conform with the UI guidelines) and hoped to get through. Sometimes they managed, sometime not, so they also got the feeling that the Q&A for the App store is somewhat like tax declaration. They don't seem to have enough time/ressources to check all, so if you something that is against the guidelines, you have to hope that you are one who doesn't get checked thoroughly.

    1. Re:Q&A by Bogtha · · Score: 5, Insightful

      I'm an iOS developer, and the approval process can be a real problem for me sometimes, but I still think the App Store is far better with it than without it.

      I've seen a lot of clients ask for dumb stuff. Using UI elements in confusing ways. Doing user-abusive stuff. Being generally annoying and self-serving rather than being designed with the user's best interests as a goal.

      The great thing about the approval process is that I can tell those clients "Apple won't allow it" and it instantly shuts them up. The alternative would be hours of trying to convince them not to do something horrible, which leaves everybody unhappy no matter what decision is made. And this is the best case scenario, when you've got a developer willing to go to bat for the users. There's plenty of developers out there who will blindly do whatever the client asks, no matter how shitty it makes the UX.

      It's not just bad decisions. It's QA as well. Do you have any idea how keen people are to just push stuff live and then fix it after? I don't know about you, but I don't want a dozen updates every morning as developers meddle with their apps trying to get things right. The approval process gives developers the stick necessary to perform proper QA. We don't dare push anything live if there's the possibility of a crasher, because Apple will reject it and we have to wait another week to get reviewed again.

      If the approval process wasn't there, then the quality of the apps on the App Store would plummet. You think it's bad with Android, but Android doesn't attract the worst kinds of ambulance chasers. The App Store would be 75% Geocities level quality in no time at all.

      What I do disagree with is making the App Store the only way to get applications onto the device. There's really no legitimate reason for not allowing side-loading for people willing to go into settings and agree to a disclaimer.

      --
      Bogtha Bogtha Bogtha
  5. Re:iOS apps -- can they self-modify? by schneidafunk · · Score: 4, Interesting

    From my understanding, compiled code is reviewed once. However, in the cell phone app that I made, a lot of content was pulled from a database that I controlled, meaning product information could be updated by me without the need of review from Apple. We joked about replacing images with NSFW images, but I imagine what this team did was have a compiled app that ran code from a DB and was similarly able to be updated later.

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
  6. Re:Most apps only get used for a few seconds anywa by Provocateur · · Score: 4, Funny

    oh, you mean like my single-serving friends that I meet in my travels

    --
    WARNING: Smartphones have side effects--most of them undocumented.
  7. I call bullshit on "unaware" claims by SuperKendall · · Score: 4, Interesting

    I can totally see getting an app through the submission process that does something a bit sneaky. Sometimes the app reviewers hardly look at a thing (though sometimes they look very carefully, it just depends on the reviewer).

    But the claim the app could "wreak havoc" needs some proof. They said:

    a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps â" all without the users knowledge

    Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet. Same thing for email/SMS. Taking photos requires an OK from the user to access the camera. You cannot "attack other apps" because of the sandbox.

    Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented. I would bet they are saying they THEORETICALLY could break out of the sandbox but have absolutely no actual working exploits that go outside of existing user permissions and the sandbox...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:I call bullshit on "unaware" claims by Bogtha · · Score: 4, Informative

      Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet.

      Read the paper - they watched the interaction in a debugger to find the right messages to send to the right private classes in order to bypass this.

      This only worked with iOS 5 - last year Apple moved sheets like these into external processes and used a proxy view controller to show them in applications instead of embedding the functionality directly, so attacks like this aren't possible any more where this technique has been used.

      I agree that this is somewhat sensationalised, but they were able to do this without the normal user approval in the 4% or so of people still running a two year old version of iOS.

      --
      Bogtha Bogtha Bogtha
    2. Re:I call bullshit on "unaware" claims by Zalbik · · Score: 4, Informative

      This only worked with iOS 5

      Some items only worked in iOS 5.

      Based on Table 1 from their paper here, the following items could be accomplished by their app on iOS 6:
      - posting tweets
      - using the camera
      - dialing
      - using bluetooth
      - crashing safari
      - stealing device

      It was only sending SMS messages, sending email, and rebooting the system that were limited to iOS 5.

  8. The value isn't in review, it's in revocation. by Above · · Score: 5, Insightful

    No review process will ever catch all bad actors. I think Apple should be doing a better job with reviews in several dimensions, but that's not the prime advantage to the Apple ecosystem.

    The main advantage is Apple can revoke the application. If this app started doing bad things Apple can remotely prevent it from running, and in fact revoke all apps by the same developer. This central control is what scares people, but it's also what makes long term exploitation impossible. The Google ecosystem doesn't have this feature, with no centralized control.

  9. Monitored? by wiredlogic · · Score: 4, Interesting

    What kind of two-bit operation is Apple running if apps can phone home during the vetting process.

    --
    I am becoming gerund, destroyer of verbs.
  10. TARGETS by war4peace · · Score: 4, Insightful

    Sadly, it's a matter of expenses stripped to the bone. The "testers" have targets to fill. Here, you have 1000 apps to test and 3 days to do it. You miss this target twice, you get fired.

    It's a method I've seen (generally) pretty much everywhere. UAT or internal testing is considered "money sink" and its attached expenses are minimized by all means.
    I would frankly have been surprised if the testing method were to be any different.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  11. Re:BUT MACS DON'T GET ... by CanHasDIY · · Score: 4, Interesting

    Heh, remember when Apple changed the info on their page from "DOES NOT GET VIRUSES" to "DOES NOT GET PC VIRUSES"?

    That was classic.

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  12. Re:BUT MACS DON'T GET ... by Samantha+Wright · · Score: 4, Informative

    iOS still has a lot going on under the floorboards that's a rather faithful ARM port of OS X. At least for the pertinent intents and purposes, it's pretty safe to say iPhones are Macs. And stuff.

    --
    Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
  13. Re:BUT MACS DON'T GET ... by ColdWetDog · · Score: 4, Funny

    No, I believe it was OS X.

    --
    Faster! Faster! Faster would be better!