Researchers at Georgia Tech say they’ve found a creative way to bypass the iTunes store security reviews: by having an app mutate once it’s installed.
The same researchers also say they’ve found a way of carrying out a physical attack on iOS devices, though Apple has already mitigated it to some extent.
Tielei Wang of the university’s Information Security Center, says he was able to create what is effectively a Trojan horse to get round the security check Apple carries out on all apps before allowing them into the App Store.
Wang won’t be publishing the full details until the USENIX security symposium in Washington in a couple of weeks. However, he’s revealed that the attack worked by creating what he called a Jekyll app, which has code arranged in a particular way that didn’t raise any flags during review.
Once installed, the app could be remotely told to rearrange the code, which changed the way it operated and allowed malicious activities. This works despite the sandboxing that’s meant to limit the effect any malware can have on iOS devices.
Wang says he successfully published a proof-of-concept app and was able to use it to carry out tasks including posting tweets and sending e-mails and text messages without the user’s knowledge, taking photographs, and stealing “device identity information.”
Meanwhile colleague Billy Lau created a single-board computer, Mactans, which he was able to house in what appeared to be a charger plug and cable. Despite Apple’s security measures, Mactans was able to install applications on the phone within a minute of the “charger” being plugged in.
It should be noted Lau isn’t arguing there’s a serious risk of criminals trying to trick people into using bogus chargers. Instead, his concern is with the way a physical device was able to get around Apple security measures. He was scheduled to reveal more details at the Black Hat conference this week.
Both researchers have made Apple aware of the issues. Apple is working on solutions to both problems, and has already added a feature to iOS7 that means users get a warning whenever anything connected to their device tries to establish a data connection.