"Jekyll" Test Attack Sneaks Through Apple App Store, Wreaks Havoc 206
An anonymous reader writes "A malware test app sneaked through Apple's review process disguised as a harmless app, and then re-assembled itself into an aggressive attacker even while running inside the iOS 'sandbox' designed to isolate apps and data from each other. The app, dubbed Jekyll, was helped by Apple's review process. The malware designers, a research team from Georgia Institute of Technology's Information Security Center, were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn't anywhere near long enough to discover Jekyll's deceitful nature."
iOS apps -- can they self-modify? (Score:4, Interesting)
Let's say you submit an app to the app store, and like many it's designed to do something fairly idiotic that today's kids find funny, say, take a picture and then superimpose the picture onto a set of background images included with the app.
Now, let's say the app writer has steganographically embedded "naughty" code in the background images, maybe even going so far as to spread the code across all the images, encrypt, etc. to make it difficult to find.
Can the app modify itself by taking its hidden code from the images and actually execute it? Can you download "new" code from the internet, even if its steganographically hidden? It seems like you shouldn't be able to do this, like the apps should be sandboxed from modifying their own code just to prevent importing unapproved code.
Q&A (Score:5, Interesting)
I had a apps declined due to improper usage of a certain widget in another certain widget which was not deemed "correct" (switch button in a table footer for example), but always was able to either find a similar solution or - in one rare case (the one mentioned) - explaining WHY that switch button is there, and how if you take a look at the UI, understand what it does.
Then again I saw apps in the store which completely failed most of the even basic guidelines, described as (between the lines): "fail these, and your app will 100% be NOT approved", and I wondered "how did they get in there"?
Talked to other developers, same experience. Some knew they had a few things in there against the guidelines (custom springboards, views not conform with the UI guidelines) and hoped to get through. Sometimes they managed, sometime not, so they also got the feeling that the Q&A for the App store is somewhat like tax declaration. They don't seem to have enough time/ressources to check all, so if you something that is against the guidelines, you have to hope that you are one who doesn't get checked thoroughly.
Re:iOS apps -- can they self-modify? (Score:5, Interesting)
Re:Apple review process = a few seconds? (Score:5, Interesting)
I've had a game published which wasn't even started, or approved while only displaying 'an internet connection is required to proceed'. It's hard to be checked out less than this..
I call bullshit on "unaware" claims (Score:4, Interesting)
I can totally see getting an app through the submission process that does something a bit sneaky. Sometimes the app reviewers hardly look at a thing (though sometimes they look very carefully, it just depends on the reviewer).
But the claim the app could "wreak havoc" needs some proof. They said:
a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps â" all without the users knowledge
Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet. Same thing for email/SMS. Taking photos requires an OK from the user to access the camera. You cannot "attack other apps" because of the sandbox.
Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented. I would bet they are saying they THEORETICALLY could break out of the sandbox but have absolutely no actual working exploits that go outside of existing user permissions and the sandbox...
Re:Wreak Havoc seems a bit overblown (Score:2, Interesting)
Reminds me of this scene from First Contact:
(Picard drains the coolant, finds the Borg Queen's head and neck that is still blinking. He breaks the neck) ...are you all right? ...feel. ...Strange. ...Part of me is sorry she is dead. ...that is nearly an eternity.
DATA: Captain.
PICARD: Data,
DATA: I would imagine that I look worse than I
PICARD: She was unique.
DATA: She brought me closer to humanity than I could have thought possible. And for a time I was tempted by her offer.
PICARD: How long a time?
DATA: Zero point six eight seconds, sir. For an android
Monitored? (Score:5, Interesting)
What kind of two-bit operation is Apple running if apps can phone home during the vetting process.
Re:iOS apps -- can they self-modify? (Score:4, Interesting)
Re:BUT MACS DON'T GET ... (Score:5, Interesting)
Heh, remember when Apple changed the info on their page from "DOES NOT GET VIRUSES" to "DOES NOT GET PC VIRUSES"?
That was classic.