SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
1 Feb 2016

Popular hot patching technique puts iOS users at risk

Do you know?… Any iOS app downloaded from Apple’s official App Store has an ability to update itself from any 3rd-party server automatically without your knowledge.

Yes, it is possible, and you could end up downloading malware on your iPhone or iPad. Unlike Google, Apple has made remarkable efforts to create and maintain a healthy and clean ecosystem of its official App Store.

Although Apple's review process and standards for security and integrity are intended to protect iOS users, developers found the process time consuming and extremely frustrating while issuing a patch for a severe bug or security flaw impacting existing app users. To overcome this problem, Apple designed a set of solutions to make it easier for iOS app developers to push straightway out hotfixes and updates to app users without going through Apple's review process.

Sounds great, but here's the Kick:

Malicious app developers can abuse These solutions, potentially allowing them to circumvent effectively the protection given by the official App Store review process and perform arbitrary actions on the compromised device, FireEye has warned. The framework in question is JSPatch – a small JavaScript-to-ObjectiveC engine that developers can integrate in their iOS apps, allowing them to apply hotfixes on their iOS apps simply by adding a few lines of code to their apps.

How Does JSPatch Work?

Once the JSPatch engine loads inside an application, the developer can configure the app always to load a JavaScript file hosted on a remote server, which is controlled by the developer. Developed by a Chinese developer, JSPatch is utilised in as many as 1,220 iOS apps in the App Store, according to researchers. Although they failed to name the apps, the researchers claim that they have already notified the app providers. So, in need of security fixes or updates to their app, instead of going through Apple's long-winded update routine, developers can just add some JavaScript code to the file hosted on their server in order to load the code in all the devices where the app is installed.

How to Exploit the JSPatch Framework?

There are two ways to abuse this framework:

  •     If the Developer is with malicious intention.
  •     If developer loads this framework via an unencrypted channel, allowing Man-in-the-Middle attacks.
     

What if the app developer has bad intention?

A malicious developer can first submit a harmless JSPatch integrated application to the Apple App Store. Once it passed Apple's inspection and made available on the App Store for users to download, the developer can then easily send malicious JavaScript code to the running application through JSPatch, allowing the developer to perform various actions without being detected.

"JSPatch is a boon to iOS developers," FireEye researchers said in a blog post. "In the right hands, it can be used to quickly and effectively deploy patches and code updates. However, in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes."

What if the app's developer loads JSPatch via an unencrypted channel?

If an application developer uses JSPatch without any malicious intentions, even then the users security is at risk. The developers who load JSPatch via an unencrypted (HTTP) channel could leave communications between the client and the server unprotected. This could allow an attacker to conduct a man-in-the-middle (MitM) attack to intercept the client and server connection and tamper with the JavaScript content sent to the app in order to perform a malicious action, including:

  •     Access to sensitive information, such as media files and the pasteboard content.
  •     Change system properties.
  •     Load arbitrary public frameworks into the app process.
     

This isn't the very first-time iOS users are facing such problems. Last October, hundreds of iOS apps in the App Store were found collecting user's private data while violating security and privacy guidelines of Apple. The discovery came just a month after the XcodeGhost malware was distributed through legitimate iOS Apps via counterfeit versions of Apple's app developer toolkit called Xcode. Here's how to protect yourself against XCodeGhost like iOS flaws.

How to Protect Yourself?

The recommendations to protect yourself against this flaw are standard:

  • Download apps only from the official App Store, that you need, that you know, and that you trust.
  • Beware of applications that ask for an extensive amount of permissions and only grant the apps permissions that are necessary.
     

Manually review "everything" to discover anything malicious in your devices. Rest is up to the company if it wants to improve its application update process to make it speedier, or to allow potential attack vectors that could affect most of its apps and their users.

Tags:
iOS information leaks
Source:
The Hacker News
1970
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015