Got an iOS app in need of approval? Apparently a few seconds is all you’ll need to get it.
To join the ranks among the millions of apps in Apple’s App Store, each new iPhone, iPad or iPod app needs to pass what was thought to be a stringent approval process vetting the app’s safety. But according to a team of researchers at Georgia Tech, the app review process is far from foolproof.
Presenting a paper at the 2013 USENIX Security Symposium in Washington last Friday, the team explained that they submitted in March a remotely assembled malware app masquerading as a Georgia Tech news app for approval, and a few minutes later it was live.
Technology Review reported that the malware, dubbed Jekyll, could post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps, along with directing Apple’s default browser, Safari, to another malware website.
The researchers only left Jekyll live for a few minutes, long enough to test it on their own devices and deliberately attack themselves. Apple’s review glossed over the malware, which was decomposed into “code gadgets” hidden in legitimate app operations.
“The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” said Long Lu, a Stony Brook University researcher who was part of the Georgia Tech team.
Apple spokesman Tom Neumayr said the company made some changes to its iOS mobile operating system in response to issues identified in the paper, but would not comment on the app review process itself.
“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app,” said Lu, “which we say is not sufficient because dynamically generated logic cannot be very easily seen.”
ZDNet’s David Morgenstern and others have been quick to point out that this doesn’t mean other app stores like Android’s Google Play are any more secure than Apple’s, but the ease of slipping malware past the review process is eye-opening.
There is no perfect app-vetting process, and all operating systems are inherently vulnerable. Still, who knows whether Apple’s review would’ve uncovered Jekyll’s hidden malware if given more than a few seconds.
Marc Rogers, principal researcher at mobile security firm Lookout, told Technology Review that uncovering these types of malware apps would require continuous monitoring of customers’ phones. As such, he said, “all OSes are vulnerable to this kind of attack, whether mobile or otherwise.”