Researchers Show How Apple's App Approval Process Can Be Beaten by Malicious Apps

by

NewImageResearchers from Georgia Tech submitted to the App Store and received approval for a malicious app, according to Technology Review. The researchers submitted an innocuous app that included inactive malware-type code hidden from Apple's app approval system.

When downloaded onto a test device after the app was approved, the app 'phoned home' and gained a variety of abilities that compromised the host phone.

This malware, which the researchers dubbed Jekyll, could stealthily post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps. It even provided a way to magnify its effects, because it could direct Safari, Apple’s default browser, to a website with more malware.

The researchers, including Long Lu, a Stony Brook University researcher who was part of the team at Georgia Tech, only put the app on the App Store very briefly and it was not downloaded by anyone other than research team members.

The team said that using monitoring code built into the app, they determined that Apple's app approval team only ran the app for a few seconds and that malicious code was not discovered by Apple's team. "The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen," said Lu.

Apple spokesman Tom Neumayr told Technology Review that the company made some changes to the iOS operating system in response to the paper, though he did not specify what the changes were.

Top Rated Comments

Shrink Avatar
Shrink
102 months ago
I've come to a conclusion that all these analysts / researchers lack any thrill in their lives ..all they want to see is apple or any other company fail ..
I don't understand how pointing out a flaw that can be fixed represents a desire to see Apple fail.:confused:
Score: 12 Votes (Like | Disagree)
rmwebs Avatar
rmwebs
102 months ago
Sorry, I thought this was already public knowledge. Any app developer can embed malicious code, then have it 'turn on' at a specific time. There is no code check, Apple only launch the app - they never get a copy of the source code of each app so have no way of knowing what's inside of it.

The only way this will ever change is if the compilation of the apps is done on Apple servers.
Score: 11 Votes (Like | Disagree)
darster Avatar
darster
102 months ago
Hats off to Georgia Tech!
Score: 8 Votes (Like | Disagree)
Dr McKay Avatar
Dr McKay
102 months ago
Brace yourself. This Thread is about to turn into such a heated debate not even the Marshmallows will survive. :cool:
Score: 7 Votes (Like | Disagree)
JayCee842 Avatar
JayCee842
102 months ago
Fortunately with Apple's system - if something malicious is discovered it can be quickly pulled before harming anyone else.

Try getting the word out about a bad program and having it's website pulled. Much tougher as proven by all the spyware windows applications available.

Too bad this malicious malware wasn't discovered.
Score: 5 Votes (Like | Disagree)
fluchtpunkt Avatar
fluchtpunkt
102 months ago
As long as they reported the issue to Apple privately long before dangling a treat in front of criminals.

Well, the fact that you can deactivate malicious code in your app until your app passed Apples review is well known to basically everyone who writes software.

Does anybody remember HiddenApps (https://www.macrumors.com/2013/03/11/hiddenapps-hides-stock-apps-iads-and-more-on-non-jailbroken-ios-devices/), the app that could be used to hide app icons on your device?
That app fetched a file from a webserver, if the file said "hide malicious code" the app showed some useless tricks on how to save battery. Once the app passed review the file said "do evil stuff" and the app executed the parts that would have lead to an rejection immediately.

There is no way to catch all evil code in an App. Not even access to the source code will make you a hundred percent safe. Because you have to read and understand it all to make a judgement. Ain't nobody got time for that.
Score: 4 Votes (Like | Disagree)
Read All Comments

Top Stories

apple watch 6s 202009

Bloomberg: Apple Watch Series 7 to Feature Thinner Screen Bezels, Faster Processor, and Updated Ultra Wideband Tech

Monday June 14, 2021 3:41 am PDT by
This year's Apple Watch Series 7 is likely to have thinner display bezels and use a new lamination technique that brings the display closer to the front cover, according to Bloomberg's Mark Gurman. From the report: The Cupertino, California-based tech giant is planning to refresh the line this year -- with a model likely dubbed the Apple Watch Series 7 -- by adding a faster processor,...
Read Full Article164 comments
ios 15 home screen icons

iOS 15 Lets You Drag and Drop Images and Text Across Apps

Saturday June 12, 2021 3:17 pm PDT by
Apple this week previewed iOS 15, which is available now in beta for developers ahead of a public release later this year. One smaller but useful new feature added is the ability to drag and drop images, text, files, and more across apps on iPhone. MacStories editor-in-chief Federico Viticci demonstrated the new feature in a tweet: Using cross-app drag and drop on iPhone in iOS 15. Finally 🎉 #WW ...
Read Full Article101 comments
studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
Read Full Article162 comments
apple virtual game controller ios 15

Apple Makes New On-Screen Game Controller Available to Developers on iOS 15 and iPadOS 15

Saturday June 12, 2021 12:36 pm PDT by
During the Platforms State of the Union at WWDC this week, Apple unveiled a new API for iOS 15 and iPadOS 15 that enables developers to implement an on-screen virtual game controller in their iPhone and iPad games with just a few lines of code. While many iPhone and iPad games already offer on-screen controls, Apple's new virtual game controller is available to all developers, easy to add,...
Read Full Article44 comments
ipad mini 6

Next iPad Mini Will Allegedly Feature Thinner Bezels, USB-C Port, and Touch ID Power Button

Friday June 11, 2021 1:13 pm PDT by
On his newly launched Front Page Tech website, leaker Jon Prosser has shared renders showing off the alleged design of the next-generation iPad mini, which he says are based on schematics, CAD files, and real images of the device. In line with details shared earlier this month by Bloomberg's Mark Gurman and Debby Wu, Prosser claims that the new iPad mini will feature slimmer bezels around...
Read Full Article160 comments
maxresdefault

Apple Promotes iPad Pro in New Ad With 'The Little Mermaid' Musical Spin

Saturday June 12, 2021 7:01 am PDT by
In a currently unlisted ad on YouTube, Apple is promoting the versatility, portability, and power of the M1 iPad Pro in a fun musical inspired by The Little Mermaid's "Part of Your World" soundtrack. In the ad, which features the main character using an M1 iPad Pro, Magic Keyboard, and Apple Pencil, multiple users can be seen struggling with their old PCs indoors while hoping that they can...
Read Full Article367 comments
passwords system preferences

macOS Monterey Features Dedicated Password Section in System Preferences, Built-In Authenticator and More

Friday June 11, 2021 2:32 pm PDT by
macOS Monterey makes several improvements to password management, positioning iCloud Keychain as an ideal password service to replace third-party services like Lastpass and 1Password. In System Preferences, there's a new "Passwords" section that houses all of your iCloud Keychain logins and passwords so they're easier to get to, edit, and manage. There's a similar Passwords section that's...
Read Full Article203 comments
macos monterey tidbits feature copy

macOS Monterey Tidbits: Animated Memoji on Login Screen, Change the Color of the Mouse Pointer, and More

Friday June 11, 2021 10:27 am PDT by
We've highlighted several new features coming in macOS Monterey, such as Low Power Mode and the option to erase a Mac without reinstalling the operating system, but there are some smaller tidbits that we wanted to share. Animated Memoji on Login Screen One small but fun new feature in macOS Monterey is the addition of a personalized Memoji on the login screen, complete with animated facial...
Read Full Article86 comments
m1 imac back

Some M1 iMac Models Shipping With Crooked Mountings

Monday June 14, 2021 12:50 pm PDT by
Some M1 iMacs appear to have a manufacturing defect that causes the display to be mounted on the stand in a way that's not perfectly aligned, leading to a crooked display. YouTuber iPhonedo over the weekend published a review of the M1 iMac, and he found that his machine appeared to be tilted on one side, a mounting disparity that was visibly noticeable and proved with a ruler. Another...
Read Full Article176 comments
mr white ipod touch 5 protoype3

Unreleased iPod Touch 5 With Chamfered Edges and 30-Pin Dock Connector Shared Online

Thursday June 10, 2021 2:05 am PDT by
Occasional leaker Mr White has today shared interesting images on Twitter of what appears to be an old-school fifth-generation iPod touch prototype with chamfered edges and a brushed aluminum finish. The original iPod touch 5 that Apple released in October 2012 had a unibody anodized aluminum chassis with rounded edges, and was available in several colors, including slate. Another...
Read Full Article31 comments