Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Chinese devs abuse free Apple app-testing certs to install pirated apps

Lucian Constantin | Feb. 23, 2016
Sideloading technique for testing iOS apps empowers malware on non-jailbroken devices.

A Chinese iOS application recently found on Apple's official store contained hidden features that allow users to install pirated apps on non-jailbroken devices. Its creators took advantage of a relatively new feature that lets iOS developers obtain free code-signing certificates for limited app deployment and testing.

The number of malware programs for iOS has been very low until now primarily because of Apple's strict control of its ecosystem. Devices that have not been jailbroken -- having their security restrictions removed -- only allow apps obtained from the official App Store, after they've been reviewed and approved by Apple.

There is a separate method for enterprises to distribute in-house developed apps to iOS devices without publishing them on the app store, but it relies on special code- signing certificates obtained through the Apple Developer Enterprise Program.

Enterprise certificates have been used to install malware on non-jailbroken iOS devices in the past and it is one of the techniques used the newly found Chinese app, which is called ZergHelper or XY Helper. However, it's not the most interesting one.

According to researchers from security firm Palo Alto Networks, ZergHelper also abuses personal development certificates, a new type of code-signing certificate introduced by Apple with the release of Xcode 7.0 in September. Xcode is the main tool -- or integrated development environment (IDE) -- used to develop iOS and Mac OS X apps.

Starting with Xcode 7, developers can build apps, sign them and have them run on their own devices without publishing them in the app store. This makes it a lot easier to test apps without enrolling in Apple's Developer Program, which requires a $99 per year subscription.

To generate personal development certificates, app makers have to use Xcode with their phone connected to their computer. The exact process in which Xcode obtains the certificates from Apple is not publicly documented, but the ZergHelper creators seem to have figured it out.

"We think someone has reverse-engineered Xcode in detail to analyze this part of code so that they can implement exactly the same behaviors with Xcode -- in effect, successfully cheating Apple’s server," the Palo Alto Networks researchers said in a blog post.

Some people have expressed concerns after the feature was released last year that attackers might abuse it to create and distribute malware to non-jailbroken devices. ZergHelper is evidence that this is indeed possible, highlighting its potential for abuse "in a wide-ranging and automated way," the researchers said.

In fact, someone was recently selling code on a popular Chinese security forum that could automatically register Apple IDs and then generate personal development certificates for them. That post has since been deleted, the researchers said.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.