Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple's approval of 'Jekyll' malware app reveal flaws in App Store review process

A group of researchers from Georgia Tech managed to get a malicious app past Apple's review process, finding the company may run only a few seconds' worth of tests before posting an app to the App Store.

Dubbed "Jekyll," the malicious software was uploaded to Apple's App Store in March to test the company's control measures, which dictate what apps are allowed to be distributed through the App Store, reports MIT's Technology Review.

According to the research team responsible for creating the software, Apple was unable to distinguish dormant bits of code that would later be assembled into a malicious app. Once installed on a victim's device, Jekyll, disguised as a news delivery app, was able to post tweets, send email and text messages, access the phone's address book, take pictures, and direct Safari to a malicious website, among other nefarious actions.

“The app did a phone-home when it was installed, asking for commands," said Stony Brook University researcher Long Lu. "This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed.”

Jekyll also had code built in that allowed the researchers to monitor Apple's testing process, which reportedly only ran the app for "a few seconds" before letting it go live on the App Store. Lu said the Georgia Tech team deployed Jekyll for only a few minutes, downloading and pointing the app toward themselves for testing. No consumers installed the app before it was ultimately taken down as a safety precaution.

“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu said.

The research team wrote up its results in a paper that was scheduled for presentation on Friday at the Usenix conference in Washington, D.C.

Apple spokesman Tom Neumayr said the company took the research into consideration and has updated iOS to deal with the issues outlined in the paper. The exact specifics of these fixes were not disclosed, and no comment was made on the App Store review process.



42 Comments

droidftw 11 Years · 1009 comments

And so the game of whack-a-mole continues.

teaearlegreyhot 11 Years · 1012 comments

Unfortunatelly, the story makes no mention of whether THIS research team had Apple's blessing to engage in this activity. Unlike poor Mr. Balic, self-described "security researcher" who has been villified for exposing serious issues with Apple's Dev Center website. http://appleinsider.com/articles/13/07/22/researcher-admits-to-hacking-apples-developer-site-says-he-meant-no-harm-or-damage It is sad to think that the Georgia Tech. connection is adequate to insulate this group involved in a potentially malicious activity from the same criticism that an international programmer received.

chazwatson 12 Years · 81 comments

Quote:
Originally Posted by TeaEarleGreyHot 

Unfortunatelly, the story makes no mention of whether THIS research team had Apple's blessing to engage in this activity. Unlike poor Mr. Balic, self-described "security researcher" who has been villified for exposing serious issues with Apple's Dev Center website.

http://appleinsider.com/articles/13/07/22/researcher-admits-to-hacking-apples-developer-site-says-he-meant-no-harm-or-damage

It is sad to think that the Georgia Tech. connection is adequate to insulate this group involved in a potentially malicious activity from the same criticism that an international programmer received.

 

The difference being that this group used the application only on themselves, not real customers.  They didn't take 100,000 developer email addresses in the name of research.  In theory, they could have also used this opportunity to backdoor Apple while the app was actively running for testing.

jragosta 17 Years · 10472 comments

[quote name="AppleInsider" url="/t/159090/apples-approval-of-jekyll-malware-app-reveal-flaws-in-app-store-review-process#post_2381656"]According to the research team responsible for creating the software, Apple was unable to distinguish dormant bits of code that would later be assembled into a malicious app. Once installed on a victim's device, Jekyll, disguised as a news delivery app, was able to post tweets, send email and text messages, access the phone's address book, take pictures, and direct Safari to a malicious website, among other nefarious actions. [/quote] OK, so there's a way to bypass Apple's security. But notice that the app did not have any malicious code as submitted - the malicious code was reassembled in use. It's pretty hard to figure out how Apple (or anyone) could block an app which doesn't have malicious code when submitted. I guess they'll have to settle for just being 100,000 times more secure than their competition.

sflocal 16 Years · 6138 comments

So a security research firm has to create a scenario to test Apple's defenses.

Unlike Android, that pretty much keeps their door wide open.

I'll gladly accept Apple's "security-issues" any day versus what Android does.