Security: how the ModMyi repo handles tweaks submissions

Cydia modMyi repo

Following up on our interview with BigBoss repo maintainer Optimo, today we talk to ModMyi co-founder Kyle Matthews who shares the security process and safeguards in place when new jailbreak tweaks are submitted to his repo. While complete security can’t be guaranteed, Matthews explains that the ModMyi repo has done an incredible job along the years to protect its users.

But as he notes, 100% security is impossible, and at the end of the day, the ultimate responsibility is held by jailbreak users themselves. Read on for a fascinating look into one of the most popular repositories on Cydia.

Also read: BigBoss repo maintainer talks security and user responsibility

ModMyi co-founder Kyle Matthews answers our questions

Can you please describe the process between the moment a tweak is submitted to ModMyi to be added to the repo and the moment this tweak is live on the repo and ready to be downloaded?

When a package is submitted to us, we receive an email notification letting us know. Daily, we review the packages submitted in the last 24 hours. The vast majority of submissions are rejected (generally over 70%), for various reasons. These can include copyright infringement, security flaws, or general lack of professionalism (offensive, very poor, or other reasons).

Our review includes a manual inspection of the remaining packages. We run each package on a test device, and inspect each package for any errors, including incorrect directory structure, poor implementation, or security flaws.

The finalized packages are converted to .deb files and uploaded to the main repo.

What are the safeguards in place during that process? A clear explanation of the security scans would help.

The repo managers speak often and have trusted venues for group discussion. Every package uploaded to a trusted repo is manually inspected for any suspect (or just poorly written) code. If something seems off, the package is inspected by other trusted developers or repo maintainers. We will also connect with the package developer if something seems strange, getting feedback. Decisions are made as to whether the package is to be accepted then.

Are select developers whitelisted by default and allowed for a faster approval process? Or are all developers on the same level when it comes to review process?

There are occasionally certain packages or developers which have a long record of trustworthiness and relationship with repo owners, and are considered important to the community. These developers or packages may be allowed quicker response time. If there is an urgent request for any reason, we are also always available via Twitter, email, and other means to make rapid changes.

How often do you catch malicious packages? Is there some sort of trend or has it been relatively stable over the years?

Malicious packages rarely make it through the safeguards. However, it does occur, and the jailbreak community is a major help in catching these quickly and alerting those who can address. There is a frustrating tendency we’ve noticed of people to take to Reddit, or Twitter, or the forums, calling into question reasoning or how this would happen before and often instead of contacting the repo owners. We are aware accuracy can not be 100%, but I believe I am accurate in stating it has been 99.9% over the past 7 years or so we’ve been doing this. We have noticed no increase or change in frequency, and do catch strange packages occasionally – which never make it to the public.

Back in July, a tweak called Lock Saver Free containing a trojan was added to your repo. How did that happen?

It made it through the review process without being caught. A line of code within the app downloaded separate files, and was missed in review. The community of repo owners inspected the package (after it was quickly removed – you’ll see my comment the same day on this Reddit thread) to note the mechanism, and increase security to make sure we kept care of that method in the future.

How long did it take you to figure it out and take action?

Just under 12 hours. The discovery was made just before night in our timezone, and we woke up to see email notifications (we have alerts set up for if anyone mentions certain things on popular sites or networks). We had no direct contact until someone forwarded us a news story. Your own Jeff Benjamin wrote a story on the issue and never contacted us (he has my direct contact information).

What preventive steps are you putting in place to make sure this doesn’t happen again?

As mentioned before, the mechanism used was inspected, and circulated around to the other repo owners and maintainers. We noted it and increased scrutiny of this type of issue in the future.

What steps are taken when a malicious tweak is detected?

The package is immediately removed. It is then inspected by both the repo maintainer and various other members of the community to reverse engineer and understand the malware. The submitter is notified and usually banned from whatever site he submitted the package through, and all repo maintainers are alerted of the findings. If any follow-up is necessary to ensure users’ devices or data is whole, that is communicated to users however is best (that is an extremely rare event).

What are some of the worst malware you’ve seen in tweaks submitted to ModMyi?

We see items which attempt to delete content, or load their own ads (those have made it through before but are submitted still). It is extremely rare a package tries to send or access protected data.

The BigBoss went down for a period of time last month. The next day, your repo went down too, which is something I can’t recall happening in the past. Was this just a terrible coincidence, or is there more to it than just bad luck?

We were both affected by a DDOS. Measures were put into place to better address these types of attacks from then on, although DDOS are common and have affected much larger sites than our own.

As iOS grows in popularity and is gaining ground in places like China, do you feel this makes the platform a bigger target for hackers? How do you feel about the general security of jailbreak tweaks developed for iOS going forward?

There is a good system in place, and we continue to enhance our methods with every rare occurrence. As any tech news blog can attest to, 100% security is impossible, but we have quality measures in place. A root-accessible system (as iOS is while jailbroken) is inherently more vulnerable, and personal attention and a skilled community in place enhance the security.

Anything else you’d like to say or clarify?

Please, do know we check @mmirepo and our personal emails constantly! If something is ever noticed which appears out of the ordinary, it takes 10 seconds to tweet us and alert us. Before anything else, the repo maintainers should be alerted so packages can be inspected. Even Apple’s App Store has things slip through (emulators hidden in games, tethering packages masquerading as games, etc), but those are sandboxed. We are supported by a knowledgable community (both of developers, repo maintainers, and users) who has a history of noticing and alerting the repos of any breaches quickly.