It's not too hard to slip a bug into Apple's iOS walled garden, according to researchers at Georgia Tech, who managed to sneak a malicious app into the Apple App Store undetected. The research team's success now calls into question Apple's undisclosed app vetting system.
The malware, appropriately called "Jekyll" by the research team at the Georgia Institute of Technology, was designed to look like a respectable app in Apple's review process, only turning malicious after it was installed on an iOS device. In this case, the malicious code was in the guise of a Georgia Tech news app.
To get Apple's approval and earn a spot in the App Store, every app must go through a mandatory review and code signing mechanisms. Jekyll contained code fragments that later assembled into a bunch of malicious code after being activated remotely. "The app did a phone-home when it was installed, asking for commands," said Long Lu, a member of the research team to MIT Technology Review. "This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed."
Some of that "new" Hyde-like behavior included the ability to secretly post tweets, take pictures with the phone, steal the identity information of devices, send emails and text messages, attack other apps and even exploit kernel vulnerabilities.
Apple has long had a reputation for having a relatively malware and virus-free system. When computer viruses became commonplace in the mid to late 90s, Apple might have had an advantage towards being malware free because the computer simply wasn't popular enough to become a common target. Since Apple has exploded in popularity though, it has been known for keeping close tabs on what apps are approved for the App Store, creating a so-called "walled garden" for its over 400 million mobile devices.
But the gatekeepers of that garden apparently aren't working hard enough (or have too little resources), because the Georgia Tech team said that by monitoring their app, they could determine how long Jekyll was tested before being approved.
According to Lu, Apple only ran it for a few seconds before releasing it. "The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen," Lu told MIT.
Such two-faced backdoor apps like Jekyll are not uniquely threatening to iOS, however. In the paper, which the Georgia Tech researchers released on Friday at the Usenix advanced computing conference in Washington D.C., describing the Jekyll app in detail, the team stressed that these types of malware are difficult to spot no matter what operating system is exploited: "We stress that our attack does not assume any specifics about how Apple reviews apps, but targets theoretical difficulties faced by any known methods to analyze programs."
To reliably stop Jekyll apps (and who knows if there are already Jekyll apps lying dormant in the App Store!), you'd have to have active, continuous monitoring of app behaviors, which means continuous monitoring of users' phones, which would make iOS feel more like the Iron Curtain than a walled garden.
- Contribute to this Story:
- Send us a tip
- Send us a photo or video
- Suggest a correction
