Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Researchers Show How Apple's App Approval Process Can Be Beaten by Malicious Apps

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,481
30,715



NewImage1.png
Researchers from Georgia Tech submitted to the App Store and received approval for a malicious app, according to Technology Review. The researchers submitted an innocuous app that included inactive malware-type code hidden from Apple's app approval system.

When downloaded onto a test device after the app was approved, the app 'phoned home' and gained a variety of abilities that compromised the host phone.
This malware, which the researchers dubbed Jekyll, could stealthily post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps. It even provided a way to magnify its effects, because it could direct Safari, Apple's default browser, to a website with more malware.
Click to expand...
The researchers, including Long Lu, a Stony Brook University researcher who was part of the team at Georgia Tech, only put the app on the App Store very briefly and it was not downloaded by anyone other than research team members.

The team said that using monitoring code built into the app, they determined that Apple's app approval team only ran the app for a few seconds and that malicious code was not discovered by Apple's team. "The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen," said Lu.

Apple spokesman Tom Neumayr told Technology Review that the company made some changes to the iOS operating system in response to the paper, though he did not specify what the changes were.

Article Link: Researchers Show How Apple's App Approval Process Can Be Beaten by Malicious Apps
 
Article Link
https://www.macrumors.com/2013/08/16/researchers-show-how-apples-app-approval-process-can-be-beaten-by-malicious-apps/
Diode

Diode

macrumors 68020
Apr 15, 2004
2,443
125
Washington DC
Fortunately with Apple's system - if something malicious is discovered it can be quickly pulled before harming anyone else.

Try getting the word out about a bad program and having it's website pulled. Much tougher as proven by all the spyware windows applications available.
 
Dr McKay

Dr McKay

macrumors 68040
Aug 11, 2010
3,430
57
Kirkland
Brace yourself. This Thread is about to turn into such a heated debate not even the Marshmallows will survive. :cool:
 
Shrink

Shrink

macrumors G3
Feb 26, 2011
8,929
1,727
New England, USA
Diode said:
Fortunately with Apple's system - if something malicious is discovered it can be quickly pulled before harming anyone else.
Click to expand...

Perhaps I'm misunderstanding the post above, but my reading of the News story indicated that Apple's approval process DIDN"T catch the malware embedded in the app, which was downloaded...if only by the researchers. It's my impression that the research points out weaknesses in the approval process which could allow malware to be downloaded by consumers before Apple catches it.

The research is valuable, IMO, in pointing out problems which Apple can now address.
 
JayCee842

JayCee842

macrumors 6502a
Jan 21, 2013
589
0
They only reviewed it for a few seconds? wow.
The fact that it grabbed so much information is scary.
 
C

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,390
19,458
So a human (or even non-human) process can have flaws?! A study was needed to realize or "prove" that? Really?
 
JayCee842

JayCee842

macrumors 6502a
Jan 21, 2013
589
0
Diode said:
Fortunately with Apple's system - if something malicious is discovered it can be quickly pulled before harming anyone else.

Try getting the word out about a bad program and having it's website pulled. Much tougher as proven by all the spyware windows applications available.
Click to expand...

Too bad this malicious malware wasn't discovered.
 
JSenders

JSenders

macrumors newbie
Jun 4, 2013
11
0
Chicago
We are lucky there are people out there who spend time doing this only to strengthen security in the system. I highly support hacking for the benefit of others.
 
R

rmwebs

macrumors 68040
Apr 6, 2007
3,140
0
Sorry, I thought this was already public knowledge. Any app developer can embed malicious code, then have it 'turn on' at a specific time. There is no code check, Apple only launch the app - they never get a copy of the source code of each app so have no way of knowing what's inside of it.

The only way this will ever change is if the compilation of the apps is done on Apple servers.
 
jav6454

jav6454

macrumors Core
Nov 14, 2007
22,303
6,257
1 Geostationary Tower Plaza
Diode said:
Fortunately with Apple's system - if something malicious is discovered it can be quickly pulled before harming anyone else.

Try getting the word out about a bad program and having it's website pulled. Much tougher as proven by all the spyware windows applications available.
Click to expand...

There exists an app kill switch. It just hasn't been used as of yet.
 
A

Alenore

macrumors 6502
Apr 7, 2013
423
426
Question is, how many people discovered and implemented it before it was found by this research.
 
AngerDanger

AngerDanger

Graphics
Staff member
Dec 9, 2008
5,452
29,002
Alenore said:
Question is, how many people discovered and implemented it before it was found by this research.
Click to expand...

And what changes to iOS specifically could prevent timer-based malicious code? This seems to be a problem with the review process rather than the OS.
 
Last edited:
V

Ventilatedbrain

macrumors regular
Nov 22, 2012
201
68
I've come to a conclusion that all these analysts / researchers lack any thrill in their lives ..all they want to see is apple or any other company fail ..
 
Last edited by a moderator:
Shrink

Shrink

macrumors G3
Feb 26, 2011
8,929
1,727
New England, USA
Ventilatedbrain said:
I've come to a conclusion that all these analysts / researchers lack any thrill in their lives ..all they want to see is apple or any other company fail ..
Click to expand...

I don't understand how pointing out a flaw that can be fixed represents a desire to see Apple fail.:confused:
 
Last edited by a moderator:
iLilana

iLilana

macrumors 6502a
May 5, 2003
807
300
Alberta, Canada
get right on that apple

Oh wait. Then developers start complaining about approval times. Either way its going to cost somebody something.
 
Krazy Bill

Krazy Bill

macrumors 68030
Dec 21, 2011
2,985
3
I thought Timmy C. approved all apps personally!?!? :eek:

Ventilatedbrain said:
I've come to a conclusion that all these analysts / researchers lack any thrill in their lives ..all they want to see is apple or any other company fail ..
Click to expand...
Well, I for one am quite happy with people finding chinks in the armor of one of the most powerful companies in the universe. Keeps 'em honest.
 
Last edited by a moderator:
Krazy Bill

Krazy Bill

macrumors 68030
Dec 21, 2011
2,985
3
Shrink said:
The post sounds a bit like schadenfreude...;)
Click to expand...
Holy crap. I had to 3-finger that word. :eek: I'd even use it if I could pronounce it.

Ack, No. I don't want to see Apple fail - just challenged every step of the way lest they meander down the wrong path and forget who put 'em where they are. :)
 
nagromme

nagromme

macrumors G5
May 2, 2002
12,546
1,196
I like Apple's screening process for keeping out SOME of the bad guys.

I like it better for removing them after approval, once caught, and for having a paper trail pointing back to the criminal. Thus making it less worth their while.

I also like the OS design (better with each version) that limits what even CAN be done. Which needs to continue getting tighter, clearly.

I like these researchers, too! As long as they reported the issue to Apple privately long before dangling a treat in front of criminals. (That's good security practice, and if they didn't do it, and opted for attention instead, I don't like them so much... but I'll still take the benefit of their findings.)

Apple can never screen out and block everything anyone might try, but they've succeeded in making a safe, trusted platform that Android users can only dream of. AND it needs to improve--which can't happen without catching the loopholes.
 
Last edited:
Shrink

Shrink

macrumors G3
Feb 26, 2011
8,929
1,727
New England, USA
Krazy Bill said:
Holy crap. I had to 3-finger that word. :eek: I'd even use it if I could pronounce it.

Ack, No. I don't want to see Apple fail - just challenged every step of the way lest they meander down the wrong path and forget who put 'em where they are. :)
Click to expand...

Listen, consider yourself lucky I didn't go all sesquipedalian on you!:p ;)
 
R

rusty2192

macrumors 6502a
Oct 15, 2008
997
81
Kentucky
Krazy Bill said:
Holy crap. I had to 3-finger that word. :eek: I'd even use it if I could pronounce it.

Ack, No. I don't want to see Apple fail - just challenged every step of the way lest they meander down the wrong path and forget who put 'em where they are. :)
Click to expand...

Holy Crap. I had to try the 3-finger thing. I did not OS X did that! Oh, and cool word :D
 
0

0x0x0x0

macrumors 6502
Jul 10, 2013
259
75
Down in the Ether, looking at your bits...
Diode said:
Fortunately with Apple's system - if something malicious is discovered it can be quickly pulled before harming anyone else.

Try getting the word out about a bad program and having it's website pulled. Much tougher as proven by all the spyware windows applications available.
Click to expand...

This method seems to be rather easily defeated- all you need is to wait for 3 or 6 months between purchase and malicious activity; and you're assuming that the malicious activity is going to be obvious to the end user- not necessarily the case...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom