Do you know?… Any iOS app downloaded from Apple's official App Store has an ability to update itself from any 3rd-party server automatically without your knowledge.
Yes, it is possible, and you could end up downloading malware on your iPhone or iPad.
Unlike Google, Apple has made remarkable efforts to create and maintain a healthy and clean ecosystem of its official App Store.
Although Apple's review process and standards for security and integrity are intended to protect iOS users, developers found the process time consuming and extremely frustrating while issuing a patch for a severe bug or security flaw impacting existing app users.
To overcome this problem, Apple designed a set of solutions to make it easier for iOS app developers to push straightway out hotfixes and updates to app users without going through Apple's review process.
Sounds great, but here's the Kick:
Malicious app developers can abuse These solutions, potentially allowing them to circumvent effectively the protection given by the official App Store review process and perform arbitrary actions on the compromised device, FireEye has warned.
The framework in question is JSPatch – a small JavaScript-to-ObjectiveC engine that developers can integrate in their iOS apps, allowing them to apply hotfixes on their iOS apps simply by adding a few lines of code to their apps.
How Does JSPatch Work?
Once the JSPatch engine loads inside an application, the developer can configure the app always to load a JavaScript file hosted on a remote server, which is controlled by the developer.
Developed by a Chinese developer, JSPatch is utilised in as many as 1,220 iOS apps in the App Store, according to researchers. Although they failed to name the apps, the researchers claim that they have already notified the app providers.
So, in need of security fixes or updates to their app, instead of going through Apple's long-winded update routine, developers can just add some JavaScript code to the file hosted on their server in order to load the code in all the devices where the app is installed.
How to Exploit the JSPatch Framework?
There are two ways to abuse this framework:
- If the Developer is with malicious intention.
- If developer loads this framework via an unencrypted channel, allowing Man-in-the-Middle attacks.
What if the app developer has bad intention?
A malicious developer can first submit a harmless JSPatch integrated application to the Apple App Store.
Once it passed Apple's inspection and made available on the App Store for users to download, the developer can then easily send malicious JavaScript code to the running application through JSPatch, allowing the developer to perform various actions without being detected.
"JSPatch is a boon to iOS developers," FireEye researchers said in a blog post. "In the right hands, it can be used to quickly and effectively deploy patches and code updates. However, in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes."
What if the app's developer loads JSPatch via an unencrypted channel?
If an application developer uses JSPatch without any malicious intentions, even then the users security is at risk. The developers who load JSPatch via an unencrypted (HTTP) channel could leave communications between the client and the server unprotected.
This could allow an attacker to conduct a man-in-the-middle (MitM) attack to intercept the client and server connection and tamper with the JavaScript content sent to the app in order to perform a malicious action, including:
- Access to sensitive information, such as media files and the pasteboard content.
- Change system properties.
- Load arbitrary public frameworks into the app process.
This isn't the very first-time iOS users are facing such problems. Last October, hundreds of iOS apps in the App Store were found collecting user's private data while violating security and privacy guidelines of Apple.
The discovery came just a month after the XcodeGhost malware was distributed through legitimate iOS Apps via counterfeit versions of Apple's app developer toolkit called Xcode. Here's how to protect yourself against XCodeGhost like iOS flaws.
How to Protect Yourself?
The recommendations to protect yourself against this flaw are standard:
Download apps only from the official App Store, that you need, that you know, and that you trust.
Beware of applications that ask for an extensive amount of permissions and only grant the apps permissions that are necessary.
Manually review "everything" to discover anything malicious in your devices. Rest is up to the company if it wants to improve its application update process to make it speedier, or to allow potential attack vectors that could affect most of its apps and their users.