Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

"Jekyll" Test Attack Sneaks Through Apple App Store, Wreaks Havoc

samzenpus posted 1 year,8 days | from the wolf-in-sheep's-clothing dept.

Security 206

An anonymous reader writes "A malware test app sneaked through Apple's review process disguised as a harmless app, and then re-assembled itself into an aggressive attacker even while running inside the iOS 'sandbox' designed to isolate apps and data from each other. The app, dubbed Jekyll, was helped by Apple's review process. The malware designers, a research team from Georgia Institute of Technology's Information Security Center, were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn't anywhere near long enough to discover Jekyll's deceitful nature."

cancel ×

206 comments

Sorry! There are no comments related to the filter you selected.

BUT MACS DON'T GET ... (3, Funny)

Anonymous Coward | 1 year,8 days | (#44609007)

BUT MACS DON'T GET VIRUSES.
 
Unless they're too slow.

Re:BUT MACS DON'T GET ... (5, Insightful)

Immerman (2627577) | 1 year,8 days | (#44609139)

Why waste your time with viruses when people will pay to run your Trojan?

Re:BUT MACS DON'T GET ... (-1)

Anonymous Coward | 1 year,8 days | (#44609299)

Last I checked the iPhone wasn't a Mac, but I get your point...

Re:BUT MACS DON'T GET ... (4, Informative)

Samantha Wright (1324923) | 1 year,8 days | (#44609889)

iOS still has a lot going on under the floorboards that's a rather faithful ARM port of OS X. At least for the pertinent intents and purposes, it's pretty safe to say iPhones are Macs. And stuff.

Re:BUT MACS DON'T GET ... (2)

rudy_wayne (414635) | 1 year,8 days | (#44609471)

But Macs DON'T GET VIRUSES.

Except when they do.

Fixed that for you.

Re:BUT MACS DON'T GET ... (4, Interesting)

CanHasDIY (1672858) | 1 year,8 days | (#44609659)

Heh, remember when Apple changed the info on their page from "DOES NOT GET VIRUSES" to "DOES NOT GET PC VIRUSES"?

That was classic.

Re:BUT MACS DON'T GET ... (4, Funny)

ColdWetDog (752185) | 1 year,8 days | (#44609953)

No, I believe it was OS X.

Re:BUT MACS DON'T GET ... (-1)

Anonymous Coward | 1 year,8 days | (#44609909)

compared to any other o/s they don't. Espically Android, even windows phone is less prone to malware than Android!

Apple review process = a few seconds? (5, Insightful)

Anonymous Coward | 1 year,8 days | (#44609053)

There is no point to the closed system if you let just anyone come in.

Re:Apple review process = a few seconds? (5, Insightful)

Anonymous Coward | 1 year,8 days | (#44609123)

There is no point to the closed system if you let just anyone come in.

Of course there is, silly! It's called "style". More specifically, "illusion of security", which is a style. Apple's big on that sort of thing, you know.

Re:Apple review process = a few seconds? (4, Insightful)

Anonymous Coward | 1 year,8 days | (#44609129)

I found it shocking that they ran it for only a few seconds. I would have expected them to have at least run through all screens/features of the app to ensure that it does what it claims to do. This is a classic case of prioritising volume instead of quality.

Re:Apple review process = a few seconds? (4, Insightful)

stewsters (1406737) | 1 year,8 days | (#44609219)

I know some people who were working on an MMO, and during the testing phase someone created an account, logged into the server, walked about 10 feed, opened an escape menu and left, and they were approved. I assume they have some sort of automated scans too, but it doesn't seem like the walled garden provides much security, only an additional chance to charge people.

Re:Apple review process = a few seconds? (5, Insightful)

Sarten-X (1102295) | 1 year,8 days | (#44609327)

Checklist for approval:

  • Does the app crash on our profiler?
  • Does the app look like it does something useful?
  • Will users feel like they've been lied to by the App Store listing?

Note that Apple's motivation is not to ensure that only quality apps get into the store. Rather, they just want to make sure that the store itself isn't tarnished. If 30% of your downloaded apps are just shells around scam-laden videos, you'll stop using the store, so they just test each app long enough to make sure that it kinda-sorta does what's claimed. Any problems after that are going to be blamed on the developer, not Apple.

Re:Apple review process = a few seconds? (5, Interesting)

PIBM (588930) | 1 year,8 days | (#44609335)

I've had a game published which wasn't even started, or approved while only displaying 'an internet connection is required to proceed'. It's hard to be checked out less than this..

Re:Apple review process = a few seconds? (5, Insightful)

Anonymous Coward | 1 year,8 days | (#44609387)

Without knowing much about the setup, I'm kind of doubtful that they can have a high level of confidence that it really ran for a few seconds. If I were testing apps like this, I'd run a good bit of my testing on a disposable VM with a faked network. That way it couldn't send connections out and any self-modification it did while in the test harness would be ignored, so nobody but me would have any way of knowing what went on in the harness

TARGETS (4, Insightful)

war4peace (1628283) | 1 year,8 days | (#44609479)

Sadly, it's a matter of expenses stripped to the bone. The "testers" have targets to fill. Here, you have 1000 apps to test and 3 days to do it. You miss this target twice, you get fired.

It's a method I've seen (generally) pretty much everywhere. UAT or internal testing is considered "money sink" and its attached expenses are minimized by all means.
I would frankly have been surprised if the testing method were to be any different.

Re:Apple review process = a few seconds? (5, Insightful)

Anonymous Coward | 1 year,8 days | (#44609131)

Not true. A closed system can be used to ban competitors whose work you plan to steal.

Re:Apple review process = a few seconds? (0)

Anonymous Coward | 1 year,8 days | (#44609259)

True, I meant from security standpoint. Of course it gives you the power to abuse the process.

Re:Apple review process = a few seconds? (3, Insightful)

h4rr4r (612664) | 1 year,8 days | (#44609271)

Sure there is.
They get a cut of all software on the platform. That is the entire point.

Re:Apple review process = a few seconds? (0)

Anonymous Coward | 1 year,8 days | (#44609351)

Because Google takes no cut from software sold through its store?

Re:Apple review process = a few seconds? (4, Insightful)

h4rr4r (612664) | 1 year,8 days | (#44609367)

Not from any apps sold via the Amazon Appstore for Android.

The entire point of Apple's closed system is that they are the only publisher of software for the platform. This means they get a cut of sales no matter what.

Re:Apple review process = a few seconds? (0)

Desler (1608317) | 1 year,8 days | (#44609443)

Not from any apps sold via the Amazon Appstore for Android.

You've just changed middlemen. They still take a cut.

The entire point of Apple's closed system is that they are the only publisher of software for the platform. This means they get a cut of sales no matter what.

So no different than any other mobile store.

Re:Apple review process = a few seconds? (2)

h4rr4r (612664) | 1 year,8 days | (#44609487)

You could also distribute the app via your own website.

Quite different from other mobile stores. Since there is more than one option. You are even free to become your own publisher with no middleman.

Re:Apple review process = a few seconds? (2)

Nerdfest (867930) | 1 year,8 days | (#44609509)

The point of Android is openness and choice. If you don't like Amazon getting a cut, use F-Droid, manually load APK files, or use one of the many other sources for Android applications. Apple is very difdferent than most other software repositories in that it's the only one you are allowed to use. Microsoft is pushing hard for this model with Windows 8 and their Metro apps an it's very profitable and you can lock out competition if you wish.

Re:Apple review process = a few seconds? (1)

cbhacking (979169) | 1 year,8 days | (#44609735)

You mean, aside from the fact that Win8 "Modern" (the interface formerly known as Metro) apps are allowed to be sideloaded? That enabling sideloading can be done by anybody with Admin access to the machine in question, even on the otherwise-locked-down Windows RT (yes, Admin is available by default on RT)?

MS would surely *like* that cut, but they aren't locking out alternative distribution... although admittedly they are discouraging it.

Re:Apple review process = a few seconds? (2)

Nerdfest (867930) | 1 year,8 days | (#44609893)

Microsoft offers free developer licenses for Windows 8. These licenses allow developers to test and evaluate their apps before submitting them to the Windows Store. Each developer license license will expire after some time, but you can repeat the process to acquire a new license in the future.

Is that no longer accurate?

Re:Apple review process = a few seconds? (5, Informative)

gl4ss (559668) | 1 year,8 days | (#44609673)

you can go without a middleman for android apps.. all android devices allow you to install apk's.

now that is a large difference to iOS or windows phone.

if you don't see the difference then you're a fucking moron, the other os allows you to point to a file on any fucking webserver and the other doesn't. the other platform allows you to install anything without the device(or os) manufacturer greenlighting the app while the other censors whatever the fuck it wants that week to censor.

Re:Apple review process = a few seconds? (1)

CanHasDIY (1672858) | 1 year,8 days | (#44609685)

Not from any apps sold via the Amazon Appstore for Android.

The entire point of Apple's closed system is that they are the only publisher of software for the platform. This means they get a cut of sales no matter what.

Plus the cut they get from charging $99/yr for the privilege of developing iOS apps.

Apple Security Team (0)

Anonymous Coward | 1 year,8 days | (#44609063)

So...it has come to get this...

Wreak Havoc seems a bit overblown (5, Insightful)

glennrrr (592457) | 1 year,8 days | (#44609065)

Since it was just a proof of concept and was on the store for a few moments.

Re:Wreak Havoc seems a bit overblown (1)

Anonymous Coward | 1 year,8 days | (#44609167)

They needed 'wreaks havoc' to meet the Headline Hyperbole Quotient for the story. Any story about Apple, Microsoft or Google now requires a significant HHQ.

Re:Wreak Havoc seems a bit overblown (0)

Anonymous Coward | 1 year,8 days | (#44609169)

Depends on how you restrict your concept of havoc. The amount of tardy kerfluffle about this exploit, and the potential future impacts could be considered to constitute havoc.

Re:Wreak Havoc seems a bit overblown (2)

Freshly Exhumed (105597) | 1 year,8 days | (#44609207)

You are showing your human bias. Think in terms of clock ticks and the amount that can be accomplished by a computing device in "a few moments" and it becomes clear that "Wreak Havoc" is justifiable even if harm wasn't necessarily found after their analysis.

Re:Wreak Havoc seems a bit overblown (2, Interesting)

Anonymous Coward | 1 year,8 days | (#44609391)

Reminds me of this scene from First Contact:

(Picard drains the coolant, finds the Borg Queen's head and neck that is still blinking. He breaks the neck)
DATA: Captain.
PICARD: Data, ...are you all right?
DATA: I would imagine that I look worse than I ...feel. ...Strange. ...Part of me is sorry she is dead.
PICARD: She was unique.
DATA: She brought me closer to humanity than I could have thought possible. And for a time I was tempted by her offer.
PICARD: How long a time?
DATA: Zero point six eight seconds, sir. For an android ...that is nearly an eternity.

Re:Wreak Havoc seems a bit overblown (0)

Anonymous Coward | 1 year,8 days | (#44609331)

Probably wreaked havoc on the career of the monkey who approved it.

Re:Wreak Havoc seems a bit overblown (1)

Anonymous Coward | 1 year,8 days | (#44609429)

Perhaps it is referring to the cognitive dissonance experienced by Apple fanboys who believe the delusion that the Apple app store is magically more secure than the Google store.

Re:Wreak Havoc seems a bit overblown (2)

sl4shd0rk (755837) | 1 year,8 days | (#44609535)

was on the store for a few moments.

Agreed. All iOS apps claiming to be "malware" need to actually destroy something or we aren't going to believe you could actually do it.

Re:Wreak Havoc seems a bit overblown (2)

Zalbik (308903) | 1 year,8 days | (#44609677)

Since it was just a proof of concept and was on the store for a few moments.

Yes, but it was only on the app store for a few minutes due to the researchers removing it:

"The researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm.

A better headline may have been:
"Researchers demonstrate that havoc-wreaking malware can bypass Apple's app store review process"

iOS apps -- can they self-modify? (3, Interesting)

swb (14022) | 1 year,8 days | (#44609155)

Let's say you submit an app to the app store, and like many it's designed to do something fairly idiotic that today's kids find funny, say, take a picture and then superimpose the picture onto a set of background images included with the app.

Now, let's say the app writer has steganographically embedded "naughty" code in the background images, maybe even going so far as to spread the code across all the images, encrypt, etc. to make it difficult to find.

Can the app modify itself by taking its hidden code from the images and actually execute it? Can you download "new" code from the internet, even if its steganographically hidden? It seems like you shouldn't be able to do this, like the apps should be sandboxed from modifying their own code just to prevent importing unapproved code.

Re:iOS apps -- can they self-modify? (4, Interesting)

schneidafunk (795759) | 1 year,8 days | (#44609225)

From my understanding, compiled code is reviewed once. However, in the cell phone app that I made, a lot of content was pulled from a database that I controlled, meaning product information could be updated by me without the need of review from Apple. We joked about replacing images with NSFW images, but I imagine what this team did was have a compiled app that ran code from a DB and was similarly able to be updated later.

Re:iOS apps -- can they self-modify? (0)

Anonymous Coward | 1 year,8 days | (#44609249)

I don't think you even have to let the app modify itself. You could hide some kind of simple but obfuscated interpreter inside the app, and run hidden code from images through the interpreter.

Re:iOS apps -- can they self-modify? (1)

stewsters (1406737) | 1 year,8 days | (#44609281)

How would you stop it? Code is just instructions, you make it scan the image (easily concealable for an image editing program) and then have the poorly written (or obfuscated) objective c code conceal code that executes the data in the image. Without removing all inputs its hard to do.

Re:iOS apps -- can they self-modify? (2)

h4rr4r (612664) | 1 year,8 days | (#44609297)

Why would it need to modify its own code?
Why not just have an interpreter in there to begin with? Or just have a simple date check. Don't be evil for X days.

Since they only have the compiled program they have no idea what it will do in the future.

Re:iOS apps -- can they self-modify? (3, Interesting)

cusco (717999) | 1 year,8 days | (#44609463)

One of the voting machine vendors (not Diebold) actually did this in order to pass testing to get approval. From Date 01 to Date 07 it would only run locally available code, but then from Date 08 onwards it would check for scripts available on the inserted compact flash card and run them if they existed. The CF cards were only supposed to be used for recording votes, but the company was also using it to update the machine's firmware. No one knows for sure whether the scripts were used to change votes or anything else, but the possibility was certainly there.

Re:iOS apps -- can they self-modify? (1)

sjames (1099) | 1 year,8 days | (#44609389)

Build an interpreter into the app. No need for it to modify it's own code, just the data that tells it when to do what.

Re:iOS apps -- can they self-modify? (1)

Bogtha (906264) | 1 year,8 days | (#44609407)

For the most part, yes, but not in the way you think. Objective-C is a very dynamic language. It's not really about sandboxing - apps can't modify their own code. What they can do is include components that do fairly generic, innocuous things, then take external input and construct messages to those existing components on the fly based on that input.

Re:iOS apps -- can they self-modify? (1)

gnasher719 (869701) | 1 year,8 days | (#44610003)

Can the app modify itself by taking its hidden code from the images and actually execute it? Can you download "new" code from the internet, even if its steganographically hidden? It seems like you shouldn't be able to do this, like the apps should be sandboxed from modifying their own code just to prevent importing unapproved code.

It may be quite possible that you can create code on the fly. However, the app is still sandboxed. It has permissions, and it cannot do anything that it isn't permitted to do. Which _should_ be a protection against viruses (even if some virus or malware can attack your app, it cannot break out of the sandbox and do things that the app isn't allowed to do), but it also protects against the app maker doing naughty things himself.

Um.. (0)

Anonymous Coward | 1 year,8 days | (#44609173)

“The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says,”

So it "wreaked havoc" when no one installed it? lolwut?

Re:Um.. (0)

Anonymous Coward | 1 year,8 days | (#44609361)

Hype? FUD? or, what I think, poor use of words for the summary title....
I see you are new to /. if you didn't notice that.

Re:Um.. (1)

CanHasDIY (1672858) | 1 year,8 days | (#44609697)

“The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says,”

So it "wreaked havoc" when no one installed it? lolwut?

"No innocent victims" != "no one"

Re:Um.. (1)

Desler (1608317) | 1 year,8 days | (#44609899)

Actually it really does. Only the researchers installed it before it was pulled.

Q&A (5, Interesting)

tuo42 (3004801) | 1 year,8 days | (#44609189)

When I read this article, it strengthens my opinion that the Q&A process for the App Store is absolutely flawed. Don't get me wrong, regardless of wether you like or hate the walled garden, I actually am of the opinion that the guidelines - especially the UI guidelines - developers have to follow to beeing approved for the app store are a good thing in and itself. The Google Play store has similar guidelines, allthough - IMHO - not as focused on user experience.

I had a apps declined due to improper usage of a certain widget in another certain widget which was not deemed "correct" (switch button in a table footer for example), but always was able to either find a similar solution or - in one rare case (the one mentioned) - explaining WHY that switch button is there, and how if you take a look at the UI, understand what it does.

Then again I saw apps in the store which completely failed most of the even basic guidelines, described as (between the lines): "fail these, and your app will 100% be NOT approved", and I wondered "how did they get in there"?

Talked to other developers, same experience. Some knew they had a few things in there against the guidelines (custom springboards, views not conform with the UI guidelines) and hoped to get through. Sometimes they managed, sometime not, so they also got the feeling that the Q&A for the App store is somewhat like tax declaration. They don't seem to have enough time/ressources to check all, so if you something that is against the guidelines, you have to hope that you are one who doesn't get checked thoroughly.

Re:Q&A (-1, Troll)

game kid (805301) | 1 year,8 days | (#44609267)

The real reason for those guidelines is so that people can be certain your App Store software is 100% proprietary.

If they cared about viruses and privacy and safety and all that, then Facebook [apple.com] wouldn't have been approved.

Re:Q&A (1)

tuo42 (3004801) | 1 year,8 days | (#44609409)

Then again to them (and I think any business) it might be a difference if some John Doe sends an app which reads "share your life, your secrets, your meals, your pets, where you go, what you think, what you don't think, who you like, who you don't like, what you do etc. with all of your friends, sometimes their friends, people you don't like but have to be friends with to be cool or to prevent beeing fired and of course the NSA and at least five other absolutely professional security agencies around the world for FREE!!!!" than when one of the most influental social networks enters an app that basically reads the same but in less words: "do everything you do on facebook, but while you're away from your computer".

Re:Q&A (0)

Anonymous Coward | 1 year,8 days | (#44609439)

Do you know the difference between "guidelines" and "rules"? I don't think you do, otherwise you wouldn't have used the word "certain".
They are guidelines... general rules of thumb that can be broken if there is a good reason to, but 95% of the time, they should be followed.
Also, the reason for them is to encourage a consistent user experience across apps... How could a 3rd party app be "propriety"?

The guidelines do not address privacy or security.

Re:Q&A (2)

tuo42 (3004801) | 1 year,8 days | (#44609293)

Help, I need someone repair my brain, fast!

Of course I meant QA! How could that go through my Q&A..... ;)

Re:Q&A (1)

Princeofcups (150855) | 1 year,8 days | (#44609395)

Talked to other developers, same experience. Some knew they had a few things in there against the guidelines (custom springboards, views not conform with the UI guidelines) and hoped to get through. Sometimes they managed, sometime not, so they also got the feeling that the Q&A for the App store is somewhat like tax declaration. They don't seem to have enough time/ressources to check all, so if you something that is against the guidelines, you have to hope that you are one who doesn't get checked thoroughly.

It sounds like someone is rubber stamping apps, and not doing his job.

Re:Q&A (1)

h4rr4r (612664) | 1 year,8 days | (#44609421)

Well it is an impossible task, so no surprise there.

I can easily make an app that has a good mode and an evil mode, it decides which by downloading some images from my website. Since the app is used for some image related task you would never notice.

Unless Apple has solved the halting problem and they failed to tell us.

Re:Q&A (0)

Anonymous Coward | 1 year,8 days | (#44609423)

Meh. Jekyll's author wasn't too smart either. He did this right before iOS 7 comes out so now Apple can claim "this was already fixed in the new version". Also, I'm pretty sure his developer account will be banned and he'll never get another one.

Re:Q&A (5, Insightful)

Bogtha (906264) | 1 year,8 days | (#44609511)

I'm an iOS developer, and the approval process can be a real problem for me sometimes, but I still think the App Store is far better with it than without it.

I've seen a lot of clients ask for dumb stuff. Using UI elements in confusing ways. Doing user-abusive stuff. Being generally annoying and self-serving rather than being designed with the user's best interests as a goal.

The great thing about the approval process is that I can tell those clients "Apple won't allow it" and it instantly shuts them up. The alternative would be hours of trying to convince them not to do something horrible, which leaves everybody unhappy no matter what decision is made. And this is the best case scenario, when you've got a developer willing to go to bat for the users. There's plenty of developers out there who will blindly do whatever the client asks, no matter how shitty it makes the UX.

It's not just bad decisions. It's QA as well. Do you have any idea how keen people are to just push stuff live and then fix it after? I don't know about you, but I don't want a dozen updates every morning as developers meddle with their apps trying to get things right. The approval process gives developers the stick necessary to perform proper QA. We don't dare push anything live if there's the possibility of a crasher, because Apple will reject it and we have to wait another week to get reviewed again.

If the approval process wasn't there, then the quality of the apps on the App Store would plummet. You think it's bad with Android, but Android doesn't attract the worst kinds of ambulance chasers. The App Store would be 75% Geocities level quality in no time at all.

What I do disagree with is making the App Store the only way to get applications onto the device. There's really no legitimate reason for not allowing side-loading for people willing to go into settings and agree to a disclaimer.

Re:Q&A (0)

Anonymous Coward | 1 year,8 days | (#44609969)

Exactly! The user experience would be horrible if it was up to most paying clients. Thanks for the excellent post.

Re:Q&A (0)

Threni (635302) | 1 year,8 days | (#44609821)

>The Google Play store has similar guidelines, allthough -
> IMHO - not as focused on user experience.

That's why I prefer android - I don't care what Google or anyone else thinks of people's apps. It's none if their business.

Oh SNAP! (0)

Anonymous Coward | 1 year,8 days | (#44609213)

"Apple ran the app for only a few seconds, before ultimately approving it."

Most apps only get used for a few seconds anyway (0)

JoeyRox (2711699) | 1 year,8 days | (#44609223)

iOS apps are disposable like travel-sized portions of toothpaste.

Re:Most apps only get used for a few seconds anywa (4, Funny)

Provocateur (133110) | 1 year,8 days | (#44609307)

oh, you mean like my single-serving friends that I meet in my travels

Re:Most apps only get used for a few seconds anywa (1)

tuo42 (3004801) | 1 year,8 days | (#44609341)

Wanna buy some soap?

Re:Most apps only get used for a few seconds anywa (0)

Anonymous Coward | 1 year,8 days | (#44609453)

....compared to Android apps? Usage figures seem to say otherwise.

Truly shocked at this (1)

Anonymous Coward | 1 year,8 days | (#44609275)

Would have trusted Steve Jobs to have solved the Halting Problem before he died. Guess he was a mere mortal after all.

I call bullshit on "unaware" claims (4, Interesting)

SuperKendall (25149) | 1 year,8 days | (#44609353)

I can totally see getting an app through the submission process that does something a bit sneaky. Sometimes the app reviewers hardly look at a thing (though sometimes they look very carefully, it just depends on the reviewer).

But the claim the app could "wreak havoc" needs some proof. They said:

a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps â" all without the users knowledge

Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet. Same thing for email/SMS. Taking photos requires an OK from the user to access the camera. You cannot "attack other apps" because of the sandbox.

Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented. I would bet they are saying they THEORETICALLY could break out of the sandbox but have absolutely no actual working exploits that go outside of existing user permissions and the sandbox...

Re:I call bullshit on "unaware" claims (1)

h4rr4r (612664) | 1 year,8 days | (#44609393)

You can't attack other apps?
So how does jailbreaking work?

If you can jailbreak, you can use that to attack other apps or do any of those other wonderful things.

Sure you would need to use a jailbreak after being installed, but chaining together attacks is a well known thing to do.

Jailbreaking works by attacking update mechanism (1)

SuperKendall (25149) | 1 year,8 days | (#44609721)

You can't attack other apps?
So how does jailbreaking work?

Jailbreaking works by attacking the device over USB, generally the update mechanism - not something you can do through an app.

Re:Jailbreaking works by attacking update mechanis (1)

h4rr4r (612664) | 1 year,8 days | (#44609741)

Only the most recent one.
There was a time you could jailbreak via pdf or just visiting a webpage. It is quite possible another such exploit will be found in the future.

That didn't work in an app (3, Insightful)

SuperKendall (25149) | 1 year,8 days | (#44609853)

There was a time you could jailbreak via pdf or just visiting a webpage.

The only reason THAT worked is because the Safari javascript engine has native code JIT that an app cannot use. And now you know why...

So still true that you cannot jailbreak out of an arbitrary app, only ever from system apps that have elevated privileges, and then only once years ago...

Im not saying such an attack will never exist, it's just exceedingly unlikely and far more unlikely inside of an app you deploy to the store.

Re:That didn't work in an app (1)

h4rr4r (612664) | 1 year,8 days | (#44610021)

Either way security problems will exist and pretending that their app auditing is anything more than a justification for a walled garden is simply burying your head in the sand.

Re:I call bullshit on "unaware" claims (0)

Anonymous Coward | 1 year,8 days | (#44609507)

Head, meet sand. Enjoy your stay.

Re:I call bullshit on "unaware" claims (1)

Anonymous Coward | 1 year,8 days | (#44609533)

In the full paper they describe how they can do these actions without user consent, by calling the private APIs available.

Which is not breaking the sandbox (1)

SuperKendall (25149) | 1 year,8 days | (#44609783)

Private API calls are not breaking the sandbox.

Pretty much none of what they did that they consider an attack is possible in IOS 6., much less iOS7 which is on the eve of release - and some 95% of active devices are running iOS6 now.

I can break into Windos95 pretty easy too. But who cares and why would it warrant an article? The whole paper really boils down to "sometimes the app reviewers do not run an app for long" which is news to pretty much no-one.

Re:I call bullshit on "unaware" claims (4, Informative)

Bogtha (906264) | 1 year,8 days | (#44609585)

Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet.

Read the paper - they watched the interaction in a debugger to find the right messages to send to the right private classes in order to bypass this.

This only worked with iOS 5 - last year Apple moved sheets like these into external processes and used a proxy view controller to show them in applications instead of embedding the functionality directly, so attacks like this aren't possible any more where this technique has been used.

I agree that this is somewhat sensationalised, but they were able to do this without the normal user approval in the 4% or so of people still running a two year old version of iOS.

Re:I call bullshit on "unaware" claims (0)

Anonymous Coward | 1 year,8 days | (#44609657)

Mod this up. This is correct. Their 'attacks' won't even work in the iOS that 95% of iOS devices, and surely those that are actively purchasing stuff.

Re:I call bullshit on "unaware" claims (0)

Anonymous Coward | 1 year,8 days | (#44609883)

That doesn't matter! This isn't Android we're talking about.

Aha (2, Informative)

SuperKendall (25149) | 1 year,8 days | (#44609745)

I looked for the paper but could not find the link. Thanks for the extra info.

As I thought, they did not break the sandbox at all. Attacks that don't work in iOS6 are irrelevant at this point...

It's totally sensationalized. It remains true there's no way a real app can "wreak havoc" even if you inject code later.

Re:I call bullshit on "unaware" claims (4, Informative)

Zalbik (308903) | 1 year,8 days | (#44609897)

This only worked with iOS 5

Some items only worked in iOS 5.

Based on Table 1 from their paper here [usenix.org] , the following items could be accomplished by their app on iOS 6:
- posting tweets
- using the camera
- dialing
- using bluetooth
- crashing safari
- stealing device

It was only sending SMS messages, sending email, and rebooting the system that were limited to iOS 5.

Re:I call bullshit on "unaware" claims (1)

Minwee (522556) | 1 year,8 days | (#44609779)

Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet. Same thing for email/SMS. Taking photos requires an OK from the user to access the camera. You cannot "attack other apps" because of the sandbox.

Good point. I guess that this never happened [arstechnica.com] because of the tight limits put on app capabilities.

Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented. I would bet they are saying they THEORETICALLY could break out of the sandbox but have absolutely no actual working exploits that go outside of existing user permissions and the sandbox...

Ah, the old "That vulnerability is completely theoretical" [l0pht.com] defense. It worked so well for Microsoft in 1992, and it's still working for Apple today.

Corrections (2)

SuperKendall (25149) | 1 year,8 days | (#44609919)

Good point. I guess that this never happened

Not in iOS6 it didn't. Apple started taking user security much more seriously in iOS6, anticipating a potential for such attacks. I always thought prior to that it was kind of nuts you could access the address book without permission - now you cannot.

Ah, the old "That vulnerability is completely theoretical" defense.

And yet it turns out to be true. The vulnerability is not real, only a theoretical possibility that relies on breaking the sandbox, which they have not done (using private API calls is not breaking out of the sandbox). You don't need to do anything sneaky in an app to do private API calls, but it remains true the sandbox is pretty secure and stops most REAL attacks.

You are crazy if you are more worried about a possible attack via an unknown hole in the sandbox, vs. very real attacks that are happening every day on Android...

Re:I call bullshit on "unaware" claims (1)

Zalbik (308903) | 1 year,8 days | (#44609859)

Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented.

No, they do not. Their claims require more proof than the reporter presented in the article.

The researchers wrote a fairly in-depth paper on the attack which can be read here [usenix.org]

In the case of tweets, they make use of "private API's" to avoid notifying the user:

the public API called by the app will present a tweet view to the user, and let the user decide whether to post it or not, as shown in Figure 9. However, we find that the tweet view in Figure 9 can be bypassed by using private APIs, i.e., ourapp can post tweets without the user’s knowledge. Next,we describe how we discover the private APIs needed for achieving this goal

Their POC app apparently performs the exact malicious tasks they indicate all without user notification.

Bravo (0)

hesaigo999ca (786966) | 1 year,8 days | (#44609415)

Well done, by jove I think you've got something, my dear watson!

The value isn't in review, it's in revocation. (5, Insightful)

Above (100351) | 1 year,8 days | (#44609419)

No review process will ever catch all bad actors. I think Apple should be doing a better job with reviews in several dimensions, but that's not the prime advantage to the Apple ecosystem.

The main advantage is Apple can revoke the application. If this app started doing bad things Apple can remotely prevent it from running, and in fact revoke all apps by the same developer. This central control is what scares people, but it's also what makes long term exploitation impossible. The Google ecosystem doesn't have this feature, with no centralized control.

Re:The value isn't in review, it's in revocation. (2, Insightful)

berj (754323) | 1 year,8 days | (#44609743)

No review process will ever catch all bad actors. I think Apple should be doing a better job with reviews in several dimensions, but that's not the prime advantage to the Apple ecosystem.

The main advantage is Apple can revoke the application. If this app started doing bad things Apple can remotely prevent it from running, and in fact revoke all apps by the same developer. This central control is what scares people, but it's also what makes long term exploitation impossible. The Google ecosystem doesn't have this feature, with no centralized control.

I'm pretty sure (though not 100%) that this isn't true.

I've downloaded many apps that have since been pulled from the app store (some MAME apps and some tethering apps). They all still run. Apple can pull apps from the store so that they can't be downloaded again but once you've got them on your device they can't do anything.

Re:The value isn't in review, it's in revocation. (0)

Anonymous Coward | 1 year,8 days | (#44609997)

Apple *does* have a kill switch that they can use to remotely remove/disable apps, but AFAIK they've never used it.

Pulling an app from the store isn't the same as firing the kill switch. As you said, pulling an app from the store just entails removing it from their servers so it can no longer be downloaded. The kill switch would actually remove the app from user's devices or prevent it from running.

Monitored? (4, Interesting)

wiredlogic (135348) | 1 year,8 days | (#44609435)

What kind of two-bit operation is Apple running if apps can phone home during the vetting process.

Re:Monitored? (0)

Anonymous Coward | 1 year,8 days | (#44609523)

Huh? What about apps that are meant to phone home?

Re:Monitored? (2)

omnichad (1198475) | 1 year,8 days | (#44609789)

load external content = phone home.

There are a lot of apps whose purpose is to present external data in a useful way. That's only marginally different than phoning home - you still want to proxy the data through your own domain for compatibility changes with the data provider if it's not your own data.

Re:Monitored? (1)

Assmasher (456699) | 1 year,8 days | (#44609801)

I have one that logs into my company's server to retrieve configuration information (and has a special 'Apple' account that the Apple testers use to validate the app.)

I can see them testing releases in real-time on the server monitoring dashboard - "Oh, look, Apple just ran the app..."

Many business applications require this type of functionality when being tested by the App store (as mine does.)

How is this "academic" work? (0)

Anonymous Coward | 1 year,8 days | (#44609477)

What is the "academic" value of showing that one company has flawed processes? I'm not criticizing the findings themselves nor the methodoloy per se, but I just question that it's being done in the name of "academic" research when it is anything but (though I'm sure there will be attempts to divine some sort of generality from the results). The generality would have legitimately, in the academic world, come from a paper that might describe theoretically how such an attack could happen.

Don't get me wrong, I'm not saying that the work wasnt good.. I'm just saying that it's misplaced, to the extent that these guys deserve a serious review of their work. It's like "academics" doing research that's really market research ... and so not really appropriate.

IOS : Miami (0)

Anonymous Coward | 1 year,8 days | (#44609557)

When it came to concealing its true nature from Apple, I guess you could say Jekyll found it easy to...

(puts on sunglasses)
 
...Hyde.

YEEEEAAAAAAAAAAAHHHHHHHH!!!!! [youtube.com]

Perfect for the NSA (0)

Anonymous Coward | 1 year,8 days | (#44609867)

They can convince companies to add spyware to their apps and then turn it on at a later day. In fact maybe 100k of the shit apps out there were actually created by the NSA all with different accounts so when one account is deleted they still have others to use,

Apple's motto (-1, Troll)

slashmydots (2189826) | 1 year,8 days | (#44609879)

"Fuck security, MONEY MONEY MONEY!"
They're the most expensive app market to submit to by the way.

Havoc??? (0)

Anonymous Coward | 1 year,8 days | (#44609891)

Where did it wreck havoc? I would be more worried about the malware rise in the Android App Store copy instead!

As usual: Headline completely made up (2)

gnasher719 (869701) | 1 year,8 days | (#44609943)

1. The only people downloading the app were the developers. No "havoc" happened.

2. The app is sandboxed. It doesn't escape out of its sandbox. Therefore, it can only do things that it is allowed to do.

3. The identity of the developers was known to Apple. If malware was delivered to end users, Apple could get hold of the developer.

4. To actually attack an end user, you still have to create an app that does what it claims it does, and that does things interesting enough to make people download it.

5. If an app did "wreak havoc", then Apple could kill it dead on all iOS devices.

its looks like this malware... (1)

demoncleaner925 (2718229) | 1 year,8 days | (#44610031)

made the app store....rotten to the core! LOL
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>