Once the app passes the review and is installed on an end-user’s device, it can be instructed to carry out the intended attacks.
The key goal was to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code, the researchers said. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.
“We implemented a proof-of-concept Jekyll app and successfully published it in App Store,” wrote the five-person research team in a white paper. “We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll apps can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps and even exploiting kernel vulnerabilities.”
The method is quite a feat considering that in addition to the standard security features like Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and sandboxing, iOS enforces the mandatory App Review and code signing mechanisms almost religiously. App Review inspects every app submitted by third parties (in binary form) and only allows it to enter the App Store if it does not violate App Store’s regulations.
To further prohibit apps distributed through channels other than the App Store (i.e., unsigned apps), the code signing mechanism disallows unsigned code from running on iOS devices. So, a user would have to jailbreak their phone in order to run unauthorized apps, which is not the case with Google Android devices. Android’s open OS approach and ability/willingness to support apps outside of Google Play is a large reason that malware targets Android better than 95% of the time.
According to the offcial App Review guidelines, developers should expect their apps to go through a thorough inspection for all possible term violations. “During this process, many reasons can lead to app rejections, such as stealing data from users and using private APIs reserved for system apps,” the researchers said. “Although the technical details of the review process remain largely unknown, it is widely believed that such a selective and centralized app distribution model has significantly increased the difficulty and cost for malicious or ill-intended apps to reach end users.”
The Jekyll approach changes all of that, and opens up new attack surfaces on iOS devices. And it does so by adopting, well, a Jekyll-and-Hyde approach to things. Specifically, attackers can carefully plant a few artificial vulnerabilities in a benign app, and then embed the malicious logic by decomposing it into disconnected code gadgets and hiding the gadgets throughout the app code space. Such a seemingly benign app can pass the app review because it neither violates any rules imposed by Apple nor contains functional malice. However, when a victim downloads and runs the app, attackers can remotely exploit the planted vulnerabilities and in turn assemble the gadgets to accomplish various malicious tasks.
The researchers carried out the exercise with the intention of pointing out a deep flaw in the app review process for Apple to address. “We stress that our attack does not assume any specifics about how Apple reviews apps, but targets theoretical difficulties faced by any known methods to analyze programs,” the researchers explained. “By demonstrating the power of this practical attack, we highlight the shortcomings of the pre-release review approach and call for more runtime monitoring mechanisms to protect iOS users in the future.”