New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Researchers Show How Apple's App Approval Process Can Be Beaten by Malicious Apps

NewImageResearchers from Georgia Tech submitted to the App Store and received approval for a malicious app, according to Technology Review. The researchers submitted an innocuous app that included inactive malware-type code hidden from Apple's app approval system.

When downloaded onto a test device after the app was approved, the app 'phoned home' and gained a variety of abilities that compromised the host phone.
This malware, which the researchers dubbed Jekyll, could stealthily post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps. It even provided a way to magnify its effects, because it could direct Safari, Appleā€™s default browser, to a website with more malware.
The researchers, including Long Lu, a Stony Brook University researcher who was part of the team at Georgia Tech, only put the app on the App Store very briefly and it was not downloaded by anyone other than research team members.

The team said that using monitoring code built into the app, they determined that Apple's app approval team only ran the app for a few seconds and that malicious code was not discovered by Apple's team. "The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen," said Lu.

Apple spokesman Tom Neumayr told Technology Review that the company made some changes to the iOS operating system in response to the paper, though he did not specify what the changes were.

Top Rated Comments

(View all)

18 months ago

I've come to a conclusion that all these analysts / researchers lack any thrill in their lives ..all they want to see is apple or any other company fail ..


I don't understand how pointing out a flaw that can be fixed represents a desire to see Apple fail.:confused:
Rating: 12 Votes
18 months ago
Sorry, I thought this was already public knowledge. Any app developer can embed malicious code, then have it 'turn on' at a specific time. There is no code check, Apple only launch the app - they never get a copy of the source code of each app so have no way of knowing what's inside of it.

The only way this will ever change is if the compilation of the apps is done on Apple servers.
Rating: 11 Votes
18 months ago
Hats off to Georgia Tech!
Rating: 8 Votes
18 months ago
Brace yourself. This Thread is about to turn into such a heated debate not even the Marshmallows will survive. :cool:
Rating: 7 Votes
18 months ago

Fortunately with Apple's system - if something malicious is discovered it can be quickly pulled before harming anyone else.

Try getting the word out about a bad program and having it's website pulled. Much tougher as proven by all the spyware windows applications available.


Too bad this malicious malware wasn't discovered.
Rating: 5 Votes
18 months ago

As long as they reported the issue to Apple privately long before dangling a treat in front of criminals.


Well, the fact that you can deactivate malicious code in your app until your app passed Apples review is well known to basically everyone who writes software.

Does anybody remember HiddenApps (http://www.macrumors.com/2013/03/11/hiddenapps-hides-stock-apps-iads-and-more-on-non-jailbroken-ios-devices/), the app that could be used to hide app icons on your device?
That app fetched a file from a webserver, if the file said "hide malicious code" the app showed some useless tricks on how to save battery. Once the app passed review the file said "do evil stuff" and the app executed the parts that would have lead to an rejection immediately.

There is no way to catch all evil code in an App. Not even access to the source code will make you a hundred percent safe. Because you have to read and understand it all to make a judgement. Ain't nobody got time for that.
Rating: 4 Votes
18 months ago

Fortunately with Apple's system - if something malicious is discovered it can be quickly pulled before harming anyone else.


Perhaps I'm misunderstanding the post above, but my reading of the News story indicated that Apple's approval process DIDN"T catch the malware embedded in the app, which was downloaded...if only by the researchers. It's my impression that the research points out weaknesses in the approval process which could allow malware to be downloaded by consumers before Apple catches it.

The research is valuable, IMO, in pointing out problems which Apple can now address.
Rating: 4 Votes
18 months ago
We are lucky there are people out there who spend time doing this only to strengthen security in the system. I highly support hacking for the benefit of others.
Rating: 4 Votes
18 months ago
Question is, how many people discovered and implemented it before it was found by this research.
Rating: 3 Votes
18 months ago

So, Apple doesn't further verify identity after an app is submitted?


You just moved the goalposts. I was responding to:

There is a big difference in the amount of vetting to create a developer account for each platform.


As I said, there is no big difference in vetting to create a developer account.

Heck, Apple doesn't even care if you're actually even a developer, or just someone getting multiple accounts so they can sell more beta slots. (They say they do, but it never seems to result in any large scale shutdowns.)

--

Re: the diagram. Not sure what that is supposed to represent. Where did it come from, so that I can see its context. Thanks!
Rating: 3 Votes

[ Read All Comments ]