Hot-Patching Tools Another Crack In Apple’s Walled Garden

Researchers at FireEye investigate how the tools some iOS developers use to push out patches more quickly are themselves a threat to Apple security.

FireEye researchers are investigating another crack in the walled garden of Apple’s secure development environment — one that affects non-jailbroken iOS devices. Ironically, the hot-patching tools some app developers use to quickly push out security updates when they find Apple’s official reviewal/approval process too sluggish could themselves be a threat to security, researchers wrote today.

Non-jailbroken iOS devices first took a hit in September, when XCodeGhost managed to sneak Trojanized iOS apps into the official App Store. Instead of going after users directly, XCodeGhost used innocent developers as a pawn in their scheme, tricking them into writing their apps with a malicious version of the XCode application development software. 

[Read more on XCodeGhost and everything else you need to know about recent fissures in the walled garden in Dark Reading’s “The State of Apple Security.“]

FireEye researchers say hot-patching tools pose a similar threat.

To protect users from the dangers of the unknown, Apple makes all apps go through a review process before they are allowed onto the official App Store in the first place. From the researchers’ blog today:

“While the process is intended to protect iOS users and ensure apps meet Apple’s standards for security and integrity, developers who have experienced the process would agree that it can be difficult and time consuming.

The same process then must be followed when publishing a new release or issuing a patched version of an existing app, which can be extremely frustrating when a developer wants to patch a severe bug or security vulnerability impacting existing app users.”

Although this subsequent process isn’t as long as the initial one, it takes, on average, seven days before the updated code is approved. To avoid the delay, developers have begun to come up with ways around the system, creating tools that enable them to push out patches more directly. 

“While these technologies provide a more autonomous development experience, they do not meet the same security standards that Apple has attempted to maintain. Worse, these methods might be the Achilles heel to the walled garden of Apple’s App Store.”

Today, FireEye published the first installment of a series of investigations into these tools. The security firm kicked off the series with a study of JSPatch, an open-source project built on Apple’s JavaScriptCore framework. Apps with JSPatch embedded within them can directly roll out patches using JavaScript, without having to go through Apple’s runaround again.

JSPatch is currently in use by 1,220 apps in the App Store, mostly in China. None of these apps are malicious, according to FireEye, but the potential to use the JSPatch tool for nefarious purposes remains. 

FireEye poses three different scenarios in which JSPatch could be manipulated:

1. A malicious developer embeds JSPatch in a seemingly innocuous app, gets it approved by Apple, then pushes malicious JavaScript to “patch” users’ apps later.

2. A malicious ad SDK creator embeds JSPatch into the SDK. Innocent app developers use that SDK in their apps, and the SDK developer pushes malicious JavaScript to users via the app later.

3. A man-in-the-middle attacker takes advantage of poorly secured client-server communications to intercept and modify the JavaScript sent from app developers to users.

It’s a familiar situation for IT professionals — if impatient users aren’t satisfieand with the tools you’ve provided or the restrictions you’ve placed them under, they’ll find new tools and work around your restrictions. That rule even follows to the well-meaning, security-minded app developers.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

More Insights