Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Increasingly popular update technique for iOS apps puts users at risk

Lucian Constantin | Jan. 29, 2016
JSPatch could allow malicious developers to bypass Apple's strict application review process and access restricted iOS functions.

Another one would be though an advertising network that implements JSPatch into its SDK (software development kit). If app developers would then include such an advertising SDK into their apps, it would give the advertising network the ability to abuse iOS APIs through their apps.

A third scenario would involve a JSPatch-enabled app downloading the remote JavaScript code over an unencrypted connection. This would allow an attacker who is in a position to intercept the app's traffic -- like on an open wireless network or through a hacked router -- to modify the JavaScript code en route.

"The JSPatch technology potentially allows an individual to effectively circumvent the protection imposed by the App Store review process and perform arbitrary and powerful actions on the device without consent from the users," the FireEye researchers concluded. "The dynamic nature of the code makes it extremely difficult to catch a malicious actor in action."


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.