Tielei Wang and his team of security researches at George Tech have discovered a vulnerability that allows them to create certain malicious iOS apps and have them published in the Apple App Store.
The team created the 'Jekyll' app, which was submitted to Apple through the normal App store review process. Once it was published, the team downloaded the app on their testing devices and were able to have the app successfully carry out malicious activities like sending emails and texts, snapping photos and more. There were even kernel vulnerabilities exploitable.
When Apple reviews the app, the code and functionality will appear harmless, however once the app is installed on a device, the code can be exploited by the authors.
The team immediately pulled their app, but there still is the potential for other similar apps to get on the App Store and do the same, unless Apple pushes out a fix.
Wang was also a part of the team that found the malicious charger vulnerability, which Apple has fixed in iOS 7 beta 4.
The team explained that since the team does not rely on any particular bug, it makes it difficult for Apple to fix.
It is not easy for Apple to detect or prevent Jekyll Apps, because it implies that Apple needs to detect or prevent intended bugs in third party apps.
The researchers have presented their findings to Apple, so hopefully this can be addressed in a future software update.
Read More via iMore via Tzvi
The team created the 'Jekyll' app, which was submitted to Apple through the normal App store review process. Once it was published, the team downloaded the app on their testing devices and were able to have the app successfully carry out malicious activities like sending emails and texts, snapping photos and more. There were even kernel vulnerabilities exploitable.
When Apple reviews the app, the code and functionality will appear harmless, however once the app is installed on a device, the code can be exploited by the authors.
The team immediately pulled their app, but there still is the potential for other similar apps to get on the App Store and do the same, unless Apple pushes out a fix.
Wang was also a part of the team that found the malicious charger vulnerability, which Apple has fixed in iOS 7 beta 4.
The team explained that since the team does not rely on any particular bug, it makes it difficult for Apple to fix.
It is not easy for Apple to detect or prevent Jekyll Apps, because it implies that Apple needs to detect or prevent intended bugs in third party apps.
The researchers have presented their findings to Apple, so hopefully this can be addressed in a future software update.
Read More via iMore via Tzvi