Researchers Show How Apple's App Approval Process Can Be Beaten by Malicious Apps

[fluchtpunkt]

As long as they reported the issue to Apple privately long before dangling a treat in front of criminals.

Well, the fact that you can deactivate malicious code in your app until your app passed Apples review is well known to basically everyone who writes software.

Does anybody remember HiddenApps, the app that could be used to hide app icons on your device?
That app fetched a file from a webserver, if the file said "hide malicious code" the app showed some useless tricks on how to save battery. Once the app passed review the file said "do evil stuff" and the app executed the parts that would have lead to an rejection immediately.

There is no way to catch all evil code in an App. Not even access to the source code will make you a hundred percent safe. Because you have to read and understand it all to make a judgement. Ain't nobody got time for that.

 

[Krazy Bill]

Why not? Give these kids something to do.

Who you callin' "kid"? I bet I have Mayonaise in the fridge older than you.

 

[sirozha]

Now that Apple doesn't necessarily have to have thousands of new apps added every day because they already have too many crappy apps in their app store, they should make the review process stricter and longer. Additionally, they could introduce two types of stores: a free-only app store one and the fee-only app store. The fee-only app store should have a much stricter app review standards because the potential will be for Apple to make a lot of money off each app. Apple makes nothing off free apps, and in fact they incur losses by having to provide bandwidth and other facilities for hosting the app on top of the overhead of the review process. That's the reason why they are skimping on the review process now. The manual review of free apps is not scalable when every other teenager is now trying to make an app and publish it in the app store.

If this two-tier model were implemented, customers would have a choice to shop in a free-only store or in the fee-only store. I would not mind paying $1 per app minimum to make sure there's no malware. In my owning an iPhone for 4 years now, I may have downloaded 150 apps, including games for my kid. Some of them I bought for $25 and $50 dollars, while others were free. Some fell in the $5 - $10 range. Even if I had to pay $1 per each free app, I would have paid maybe $75 more in the course of 4 years. That's less than $20/year for a peace of mind. I wouldn't object to paying $1 per "free" app in the fee-only store.

Let beginner programmers start off in the free-only app store, and if they are successful, they can move on to the fee-only app store. Apple should then charge those who want to publish their app in the fee-only store some "cover fee" - maybe $200 - which would partially pay for the proper app review process to guarantee there's no malware or spyware in the app.

 

[RodThePlod]

This type of attack is nothing new. Regardless of what the article says, I'm sure Apple won't have just been made aware of this type of vulnerability.

Every OS out there - desktop to mobile - can be subjected to this type of attack. And typically on the desktop side of things this is where an AV scanner will come into play as it detects the malicious code in memory when it is reconstructed from its constituent parts and attempts to do bad things.

There will always be these types of threats, but it's worth remembering that iOS is one of the most secure OSes out there.

Tightening up the review process might help guard against this kind of thing, but it will undoubtedly be a trade-off as the additional workload could potentially be huge. And any really determined hacker/researcher could still get malicious apps into the store if they were to obfuscate their code enough.

RTP.

 

[louis Fashion]

Beware

Question is, how many people discovered and implemented it before it was found by this research.

No, the question is how many apps are out there - with malicious code - that APPL did not catch?

 

[donutbagel]

Remember that flashlight app that secretly provided 3G tethering? I think they also took down Gridlee, the NES emulator disguised as a normal game, which I grabbed while it was still up.

 

[RodThePlod]

Apple makes nothing off free apps, and in fact they incur losses by having to provide bandwidth and other facilities for hosting the app on top of the overhead of the review process.

I'd beg to differ there. Free apps are what drives this whole thing.

RTP.

 

[Plutonius]

Great, now let's double the time an app needs to get approved .

 

[donutbagel]

No, the question is how many apps are out there - with malicious code - that APPL did not catch?

For the last time, it's AAPL! APPL is a petrol company.

 

[jclardy]

Is this really new news? This was always possible, but it has a few problems.

1. The app has to be good. This is the biggest problem, the app has to at least appear to be good and functional to get downloaded and then not get deleted after the first launch.

2. If the app is good, why try and steal from users? The second problem is related to the first. If a developer spent a lot of time creating a good, functional app, then why would they hamper its performance by embedding malicious code?

So essentially this relegates these attacks to the slums of the app store. Still could cause damage, but they would be very difficult to detect if implemented right.

 

[Illusion986]

Digital world is extremely convenient but comes at a price with NSA spying on people and smart hackers able to hack nearly anything....I don't think I'm renewing my off site cloud back up and going back to hard media maybe its a little more secure.

 

[Diode]

Too bad this malicious malware wasn't discovered.

Perhaps I'm misunderstanding the post above, but my reading of the News story indicated that Apple's approval process DIDN"T catch the malware embedded in the app, which was downloaded...if only by the researchers. It's my impression that the research points out weaknesses in the approval process which could allow malware to be downloaded by consumers before Apple catches it.

The research is valuable, IMO, in pointing out problems which Apple can now address.

My point was that even if something slips through, if it violates the terms, it will be pulled once Apple figures out what's going on.

Granted it requires someone to be aware of what the App is doing but I'm guessing it wouldn't be long before someone caught on and reported it to Apple.

 

[fluchtpunkt]

Is this really new news? This was always possible, but it has a few problems.

1. The app has to be good. This is the biggest problem, the app has to at least appear to be good and functional to get downloaded and then not get deleted after the first launch.

Make something people can't normally get on the app store.
Enable Tethering, hide the Stocks Icon, a MAME emulator. Something like this.

Once the news about those apps spread they probably got hundreds of thousands of downloads until apple deleted the apps.

And it's enough to run the app one time. The apps can steal the data in a blink of an eye. After the app is closed (i.e. send to background) it has 10 minutes to upload all the data.

 

[linuxcooldude]

Sorry, I thought this was already public knowledge. Any app developer can embed malicious code, then have it 'turn on' at a specific time. There is no code check, Apple only launch the app - they never get a copy of the source code of each app so have no way of knowing what's inside of it.

The only way this will ever change is if the compilation of the apps is done on Apple servers.

That was my thought as well. How well can you really detect malware without looking at the source code. Then do they have the time to scrutinize it thoroughly as they have thousands of apps to check out.

 

[dilbert99]

Sorry, I thought this was already public knowledge. Any app developer can embed malicious code, then have it 'turn on' at a specific time. There is no code check, Apple only launch the app - they never get a copy of the source code of each app so have no way of knowing what's inside of it.

The only way this will ever change is if the compilation of the apps is done on Apple servers.

Any compiled app is code and can be decompiled. Even without decompiling the compiled code can still be checked. People originally coded in machine code...

 

[gnasher729]

For the last time, it's AAPL! APPL is a petrol company.

For the last time? Dream on

Now seriously: How bad is this problem? An attacker first has to write an app that is useful enough to get approved to the store. Hiding a time bomb inside is no problem. The problem for the attacker is elsewhere: To deliver this app to say ten thousand people, it's not enough to put it on the App Store. It also has to look good enough so that ten thousand people actually download it. Next, what can the app do? iOS apps can't do whatever they like. They have to announce to Apple what they plan to do, and in the review process that has to be allowed. So if you want your app to send emails, you have to have real functionality in your app that uses this feature, in a useful way or it will be rejected.

Now writing an app that not only contains malware, but also is good enough to get ten thousand downloads, that takes effort. At that point there is the question: Why would you bother to create malware? If you can write software that sells, you can make money by selling it. Adding malware will just kill that flow of money. It's not as if malware is actually good business. The amount of money that you can get for credit card numbers for example is pathetic (and I'd be curious to see how this app would have managed to steal credit card numbers).

And the big problem: If Georgia Tech had created _real_ malware, there would now be hell to pay. There would be arrests, people going to jail, lawsuits with massive amounts of damages. There is no need for thorough checks if Apple knows there is someone who can be made to pay for damages. Georgia Tech _cannot_ create real malware, because it would cost them too much when caught.

 

[louis Fashion]

For the last time, it's AAPL! APPL is a petrol company.

Sorry, no need to get excited.

 

[msheredy]

All this..

...and Android carries 95+ percent of the malware. Who should be under the microscope??

 

[RiverCitySlim]

Balderdash! The walled garden is impenetrable!

 

[sammaffei]

A non-issue

Most of these vulnerabilities will be gone by the time iOS 7 drops. I know firsthand that you no longer get a valid UDID (Device identifier) or Wi-Fi Mac Address under iOS 7.

 

[Assault]

I do love the troglodytes of the Apple fan base.

First it was Apple doesn't have malware. Period!
Then it was Apple is able to stop all that malware from getting past the review process.
Now it's, 'Okay. Malware can get in to the app store, but since it's less than Android's Play Store, I'm fine.'
Soon it will just be, 'iOS is the best. Neener Neener Neener.' *puts fingers in ears and closes eyes.*

Got news for you people, this vulnerability has always been there. But, if you keep repeating 'iOS is the best. Praise Jobs' you can wish it all away. Every OS has this issue, but Apple fans seem especially adamant that iOS is impenetrable. Even after reading this, some still won't believe it. It is quite amazing how Apple has been able to brainwash so many people.

P.S. More than 98% of all Android malware is located in the Russian and Chinese Play Store apps, or side loaded... Much like many of those jail broken iPhones (that don't get included in these malware studies BTW.) If you stick to official apps in either app store, you will likely never get malware. Common sense reigns supreme.

 

[Clubber]

Sounds like it's similar to the halting problem. It's an unsolvable issue. Instead of halting, it's malicious code.

http://en.wikipedia.org/wiki/Halting_problem

 

[iChrist]

And what changes to iOS specifically could prevent timer-based malicious code? This seems to be a problem with the review process rather than the OS.

That is obvious, thanks.

The issue is that, if the walled-garden cannot protect end-users, then it has no value, or negative value. It certainly doesn't prevent outright copying, non-functional garbage apps, and it allows threats to the security of a users private information that frankly are easy to sneak by the "genius" approval staff they have.

 

[AngerDanger]

That is obvious, thanks.

The issue is that, if the walled-garden cannot protect end-users, then it has no value, or negative value. It certainly doesn't prevent outright copying, non-functional garbage apps, and it allows threats to the security of a users private information that frankly are easy to sneak by the "genius" approval staff they have.

You're welcome!
I see you're in the business of stating the obvious as well.

Yet Apple has apparently made changes to iOS in regards to this problem. I guess the walled-garden still has some value.

Apple spokesman Tom Neumayr told Technology Review that the company made some changes to the iOS operating system in response to the paper, though he did not specify what the changes were.

 

[Ciclismo]

This malware, which the researchers dubbed Jekyll, could stealthily post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps. It even provided a way to magnify its effects, because it could direct Safari, Apple's default browser, to a website with more malware.

There's already an app that does all that, and more - Facebook.