App Update Tool Could Endanger iOS Users

On Wednesday, FireEye posted a very detailed article about a concerning trend among iOS developers. Some developers are integrating an update library called JSPatch, used for delivering faster updates to their apps.

That’s a great idea, but unfortunately, there are some serious security concerns involved.

Apple exerts very tight control over the iOS App Store, in an attempt to keep malware out. All iOS apps have to go through a review process, both initially and at the time of any updates. If an app doesn’t pass the process, the developer must revise it and try again (or give up on iOS, which is not an appealing option for most developers).

Unfortunately, the app review process can be lengthy. Approval times vary wildly; according to some statistics, it rarely happens in less than 6 days, and can swing much higher than that at peak times.

So, imagine you’re an app developer with a critical issue in your app, and you’ve got to get a fix pushed out now. Unfortunately, it’s probably going to take at least 5-6 days, and probably longer, before your update is in the hands of users. In the meantime, of course, you get bad reviews, complaints on user forums, etc. This kind of bad publicity can kill a product.

Now imagine that someone offered you a way to update your app today, instead of next week. Sounds appealing, right? That’s exactly what JSPatch offers. Developers can incorporate JSPatch into their code, then deploy updates through JSPatch, by writing JavaScript code that calls through to iOS code directly.

This sounds great for developers and users alike, but you’re reading about this on the Malwarebytes site… it doesn’t take a genius to know there’s a “but” coming.

Apple’s App Store review process exists for a reason: to ensure that apps in the App Store are well-behaved, and are only doing things that they’re allowed to do. There are many code libraries in iOS that third-party apps simply aren’t allowed to touch. However, the only enforcement of that is in the review process. There’s no restriction in the system that prevents apps from using certain functions.

This means that apps that use JSPatch are essentially bypassing the review process, and thus can call all manner of restricted routines. An app could potentially import code via JSPatch that would allow it to capture your private data, for example, using code that would have gotten that app rejected by the App Store review process.

This opens the door to many potential abuses. An app developer could publish an innocuous app in the iOS App Store, get it approved, then push changes that would steal all your photos or potentially scrape passwords out of the iOS Pasteboard.

Worse, a legit developer could incorporate a third-party code library that is not as trustworthy as he/she thought. Then, the maker of that library could push malicious changes to a legit app.

Even if the developer is entirely trustworthy and uses no third-party code in their app, there’s another possible issue. If you connect your iOS device to an untrustworthy wifi network, and there’s a security issue with how that app downloads its updates via JSPatch, an attacker in a privileged position on that network could inject malicious code through a fake update.

Unfortunately for security-conscious users, there’s no easy way to determine whether a particular app includes JSPatch. Which means you could be vulnerable right now and not even know it. Apple does not allow anti-malware apps in the iOS App Store, due to security restrictions that effectively neuter such software. However, that means nothing can scan your iPhone for potentially vulnerable apps.

Unfortunately, even if Apple decides to ban all JSPatch code from the iOS App Store, it’s easily possible that a malicious developer could create a similar method for dynamically altering the functionality of his/her app without getting blocked.

This is a potentially very serious issue with iOS, that could open the door to more widespread iOS malware. It will be interesting to see how Apple handles it.