New iOS vulnerability lets malware slip through

Apple iOS 6 (teaser 001)

Apple’s iOS is generally considered the most reliable and secure mobile platform out there so little wonder that iPhones and iPads are the gadgets of choice of mobile workers everywhere. Despite its Unix underpinnings, iOS of course isn’t bullet-proof – no software is. But unlike Google’s malware-infested Android, you don’t hear every day about an iOS weakness so fatal it opens the door to malware.

Unfortunately, today is precisely that day as researchers from the Georgia Tech Information Security Center (GTISC) publish details about a newly discovered iOS vulnerability that allows malware installation via seemingly innocuous apps.

The weakness circumvents Apple’s security measures and paves the way to “significant security threats to the iOS platform.” We’re expecting a swift response on Apple’s part and a fix via a future update…

According to a media release Georgia Tech put out last week, researcher Billy Lau and his team showed off the security exploit at Black Hat.

The iOS weakness, they explain, allows attackers to sneak malware past Apple’s app review process and install it onto iOS devices silently, without you being aware of any suspicious activity.

Wang’s approach hides malicious code that would otherwise get rejected during the Apple review process. Once the malicious app passes review and is installed on a user’s device, it can be instructed to carry out malicious tasks.

Theoretically, a third-party iOS app like Facebook could be the carrier of malware.

The team introduced a proof-of-concept attack called Jekyll that rearranges its own code to create new functionality that is not exhibited during Apple’s approval process.

“This allows the malicious aspects of the app to remain undetected when reviewed and therefore obtain Apple’s approval,” the release reads.

They were able to publish a malicious app and use it to remotely launch attacks on a controlled group of devices.

Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge.

Apple has apparently “indicated that it is continuing to work on ways to address the weaknesses revealed through Jekyll,” Georgia Tech’s press release claims.

At any rate, this Jekyll method should be enough to give Apple a pause, especially given the bragging in Apple’s 2012 white paper which sings praises to iOS devices for providing “stringent security technology and features”.

The report also mentions another recently discovered iOS weakness that uses a proof-of-concept malicious charger and a single-board computer to stealthily install a malicious app.

For what it’s worth, iOS 7 has fixed that vulnerability.

The researchers will publish their findings at the upcoming USENIX Security 2013 conference that runs on August 14–16, 2013 in Washington, D.C.

In the meantime, Apple is hoping to take iOS security to the next level this Fall with a bunch of capabilities like Activation Lock, a new iOS 7 feature that renders stolen devices useless by denying a carrier activation, even after the thief has wiped the device clean of data or disabled the Find My iPhone service.