Apple’s (NASDAQ:AAPL) “walled garden” app ecosystem has a reputation for being secure and free of malware since every app is carefully vetted by Apple before it is allowed to be sold in the App Store. However, it appears that no system is completely invulnerable to attack.
According to the MIT Technology Review, some researchers from Georgia Tech were able to post a malicious app in the App Store even after going through the Cupertino-based company’s review process. The researchers were able to outwit Apple’s screening process by hiding the malicious code fragments within normal app processes.
However, after the app is downloaded, it stitches the malicious code together into a malware program. The app, which the researchers dubbed “Jekyll,” was disguised as a harmless Georgia Tech news app. After being assembled and activated, the malware program could steal a user’s personal information. It could also take pictures, send emails, and direct Apple’s Safari browser to a site with more malware.
Long Lu, one of the research team members, noted that Apple reviewed the app by only running it for a few seconds. “The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” stated Lu via the MIT Technology Review.
Although the malicious app was successfully posted in the App Store, the researchers were the only ones to download the app and immediately removed it after successfully demonstrating the security vulnerability. In their presentation paper prepared for the Usenix Security Symposium, the researchers wrote that, “The download statistic provided by Apple later conﬁrmed that the app had never been downloaded by any other users.”
According to the MIT Technology Review, Apple spokesperson Tom Neumayr said that Apple has already implemented some changes in iOS “in response to issues identified in the paper.” However, it is not known what specific changes were made.
The researchers note in their paper that, “improving the existing security mechanisms or introducing more advanced runtime monitoring mechanisms can limit Jekyll apps’ capability to perform malicious operations. However, completely defeating Jekyll apps is not easy.”
Follow Nathanael on Twitter (@ArnoldEtan_WSCS)