Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Chinese hackers put iOS in the crosshairs with novel attack angles

Gregg Keizer | Oct. 6, 2015
Exploits use Apple's enterprise app distribution model and 'private APIs' to seed adware on iPhones, sidestepping App Store inspections

The YiSpecter hackers exploited a number of private APIs to gain functionality inaccessible to standard iOS apps, including hiding their apps from Springboard, iOS's home page, so that they're virtually impossible to find and delete, and hijacking the logos and names of iOS system apps.

Apple scans submitted apps for private API use; when it detects them, it rejects the app. Apps that use private APIs and make it through vetting -- and onto the App Store -- can be bounced out and rendered useless on all iOS devices.

But because YiSpecter didn't shill its malware-infected apps through the official App Store -- using instead the enterprise certificate-and-distribution channel -- Apple played no part in the process. But users, faced only with a pop-up that asked them to click to continue downloading and installing such an app, typically breezed by the warning.

Result: Infected iOS devices, including those that had not been jailbroken, historically the route to most iOS infections, especially in the PRC and elsewhere in Asia.

There was little likelihood that the apps were downloaded outside the PRC and Taiwan, or by non-Chinese speakers, Olson said.

Still, it was a warning to Apple that its app vetting process and the enterprise distribution practice are under fire.

On the latter -- largely because of Wirelurker and other such attacks that exploited enterprise app delivery -- Apple made changes in iOS 9, the upgrade released last month, that makes those attacks more problematic.

In iOS 9, users must delve into the operating system's Settings app and make several explicit selections to allow apps to install outside the App Store.

"The change they made is going to be pretty effective [in stymying attacks]," said Olson. "Users must dig into Settings, and just because of all the steps, it will force users to think and work hard to enable it. Kudos to Apple."

The private API vector, however, will be more difficult to divert.

"Their vetting is not 100% perfect," Olson observed, pointing to a paper (download PDF) set for presentation next week by a team of Purdue University researchers. In the paper, the researchers examined more than 2,000 iOS apps in the App Store and found that nearly 150 -- or about 7% -- used private APIs. Yet they had made it through Apple's review process.

"Contrary to popular belief, a nontrivial number of iOS applications that violate Apple's terms of service exist in the App Store," the four Purdue researchers -- Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang and Dongyan Xu -- wrote in the paper they will present at the ACM Conference on Computer and Communications Security in Denver.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.