"Jekyll" Test Attack Sneaks Through Apple App Store, Wreaks Havoc 206
An anonymous reader writes "A malware test app sneaked through Apple's review process disguised as a harmless app, and then re-assembled itself into an aggressive attacker even while running inside the iOS 'sandbox' designed to isolate apps and data from each other. The app, dubbed Jekyll, was helped by Apple's review process. The malware designers, a research team from Georgia Institute of Technology's Information Security Center, were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn't anywhere near long enough to discover Jekyll's deceitful nature."
Apple review process = a few seconds? (Score:5, Insightful)
There is no point to the closed system if you let just anyone come in.
Wreak Havoc seems a bit overblown (Score:5, Insightful)
Re:Apple review process = a few seconds? (Score:5, Insightful)
There is no point to the closed system if you let just anyone come in.
Of course there is, silly! It's called "style". More specifically, "illusion of security", which is a style. Apple's big on that sort of thing, you know.
Re:Apple review process = a few seconds? (Score:4, Insightful)
Re:Apple review process = a few seconds? (Score:5, Insightful)
Not true. A closed system can be used to ban competitors whose work you plan to steal.
Re:BUT MACS DON'T GET ... (Score:5, Insightful)
Why waste your time with viruses when people will pay to run your Trojan?
Re:Apple review process = a few seconds? (Score:5, Insightful)
Re:Apple review process = a few seconds? (Score:4, Insightful)
Sure there is.
They get a cut of all software on the platform. That is the entire point.
Re:Apple review process = a few seconds? (Score:5, Insightful)
Checklist for approval:
Note that Apple's motivation is not to ensure that only quality apps get into the store. Rather, they just want to make sure that the store itself isn't tarnished. If 30% of your downloaded apps are just shells around scam-laden videos, you'll stop using the store, so they just test each app long enough to make sure that it kinda-sorta does what's claimed. Any problems after that are going to be blamed on the developer, not Apple.
Re:Apple review process = a few seconds? (Score:5, Insightful)
Not from any apps sold via the Amazon Appstore for Android.
The entire point of Apple's closed system is that they are the only publisher of software for the platform. This means they get a cut of sales no matter what.
Re:Apple review process = a few seconds? (Score:5, Insightful)
Without knowing much about the setup, I'm kind of doubtful that they can have a high level of confidence that it really ran for a few seconds. If I were testing apps like this, I'd run a good bit of my testing on a disposable VM with a faked network. That way it couldn't send connections out and any self-modification it did while in the test harness would be ignored, so nobody but me would have any way of knowing what went on in the harness
The value isn't in review, it's in revocation. (Score:5, Insightful)
No review process will ever catch all bad actors. I think Apple should be doing a better job with reviews in several dimensions, but that's not the prime advantage to the Apple ecosystem.
The main advantage is Apple can revoke the application. If this app started doing bad things Apple can remotely prevent it from running, and in fact revoke all apps by the same developer. This central control is what scares people, but it's also what makes long term exploitation impossible. The Google ecosystem doesn't have this feature, with no centralized control.
TARGETS (Score:5, Insightful)
Sadly, it's a matter of expenses stripped to the bone. The "testers" have targets to fill. Here, you have 1000 apps to test and 3 days to do it. You miss this target twice, you get fired.
It's a method I've seen (generally) pretty much everywhere. UAT or internal testing is considered "money sink" and its attached expenses are minimized by all means.
I would frankly have been surprised if the testing method were to be any different.
Re:Q&A (Score:5, Insightful)
I'm an iOS developer, and the approval process can be a real problem for me sometimes, but I still think the App Store is far better with it than without it.
I've seen a lot of clients ask for dumb stuff. Using UI elements in confusing ways. Doing user-abusive stuff. Being generally annoying and self-serving rather than being designed with the user's best interests as a goal.
The great thing about the approval process is that I can tell those clients "Apple won't allow it" and it instantly shuts them up. The alternative would be hours of trying to convince them not to do something horrible, which leaves everybody unhappy no matter what decision is made. And this is the best case scenario, when you've got a developer willing to go to bat for the users. There's plenty of developers out there who will blindly do whatever the client asks, no matter how shitty it makes the UX.
It's not just bad decisions. It's QA as well. Do you have any idea how keen people are to just push stuff live and then fix it after? I don't know about you, but I don't want a dozen updates every morning as developers meddle with their apps trying to get things right. The approval process gives developers the stick necessary to perform proper QA. We don't dare push anything live if there's the possibility of a crasher, because Apple will reject it and we have to wait another week to get reviewed again.
If the approval process wasn't there, then the quality of the apps on the App Store would plummet. You think it's bad with Android, but Android doesn't attract the worst kinds of ambulance chasers. The App Store would be 75% Geocities level quality in no time at all.
What I do disagree with is making the App Store the only way to get applications onto the device. There's really no legitimate reason for not allowing side-loading for people willing to go into settings and agree to a disclaimer.
Re:The value isn't in review, it's in revocation. (Score:3, Insightful)
No review process will ever catch all bad actors. I think Apple should be doing a better job with reviews in several dimensions, but that's not the prime advantage to the Apple ecosystem.
The main advantage is Apple can revoke the application. If this app started doing bad things Apple can remotely prevent it from running, and in fact revoke all apps by the same developer. This central control is what scares people, but it's also what makes long term exploitation impossible. The Google ecosystem doesn't have this feature, with no centralized control.
I'm pretty sure (though not 100%) that this isn't true.
I've downloaded many apps that have since been pulled from the app store (some MAME apps and some tethering apps). They all still run. Apple can pull apps from the store so that they can't be downloaded again but once you've got them on your device they can't do anything.
That didn't work in an app (Score:4, Insightful)
There was a time you could jailbreak via pdf or just visiting a webpage.
The only reason THAT worked is because the Safari javascript engine has native code JIT that an app cannot use. And now you know why...
So still true that you cannot jailbreak out of an arbitrary app, only ever from system apps that have elevated privileges, and then only once years ago...
Im not saying such an attack will never exist, it's just exceedingly unlikely and far more unlikely inside of an app you deploy to the store.
Re:BUT MACS DON'T GET ... (Score:0, Insightful)
Funny... Typical iHating apple-bashing for no other reason than just to make yourselves feel better.
The research was a very interesting read. That being said, I will GLADLY put more trust into Apple's curated App store than the open wild-west mess that Android is. It takes researches running proof-of-concepts to try to slip something into the App Store. How many apps have been reported on iOS since the iPhone was first introduced found to be nefarious in nature?? I dunno... five? Six? Ten??
How many apps for Android have been reported to contain malware of some kind? I dunno know... but a simple Google search pretty much says it all. So much in fact, that when yet another hourly-malware discovery is reported for Android, it's a non-event.
Keep sipping your iHating kool-aid. No system is 100% secure. Period. At least Apple does far more work to reach that milestone than Google/Android ever will.
Re:The value isn't in review, it's in revocation. (Score:2, Insightful)
There is a difference between removing an application from the store because it goes against the terms and removing an application because it is malware. Apple is certainly able to make this distinction.
Google is able to remove applications remotely, they did so in the past, google it up.
Re:Apple review process = a few seconds? (Score:5, Insightful)
Without knowing much about the setup, I'm kind of doubtful that they can have a high level of confidence that it really ran for a few seconds. If I were testing apps like this, I'd run a good bit of my testing on a disposable VM with a faked network. That way it couldn't send connections out and any self-modification it did while in the test harness would be ignored, so nobody but me would have any way of knowing what went on in the harness
In other words, you would reject any app relying on a webservice somewhere on the internet. Good policy I guess. Nobody needs Instagram, Facebook of Twitter apps.