Endpoint
1/27/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hot-Patching Tools Another Crack In Apple's Walled Garden

Researchers at FireEye investigate how the tools some iOS developers use to push out patches more quickly are themselves a threat to Apple security.

FireEye researchers are investigating another crack in the walled garden of Apple's secure development environment -- one that affects non-jailbroken iOS devices. Ironically, the hot-patching tools some app developers use to quickly push out security updates when they find Apple's official reviewal/approval process too sluggish could themselves be a threat to security, researchers wrote today.

Non-jailbroken iOS devices first took a hit in September, when XCodeGhost managed to sneak Trojanized iOS apps into the official App Store. Instead of going after users directly, XCodeGhost used innocent developers as a pawn in their scheme, tricking them into writing their apps with a malicious version of the XCode application development software. 

[Read more on XCodeGhost and everything else you need to know about recent fissures in the walled garden in Dark Reading's "The State of Apple Security."]

FireEye researchers say hot-patching tools pose a similar threat.

To protect users from the dangers of the unknown, Apple makes all apps go through a review process before they are allowed onto the official App Store in the first place. From the researchers' blog today:

"While the process is intended to protect iOS users and ensure apps meet Apple’s standards for security and integrity, developers who have experienced the process would agree that it can be difficult and time consuming.

The same process then must be followed when publishing a new release or issuing a patched version of an existing app, which can be extremely frustrating when a developer wants to patch a severe bug or security vulnerability impacting existing app users."

Although this subsequent process isn't as long as the initial one, it takes, on average, seven days before the updated code is approved. To avoid the delay, developers have begun to come up with ways around the system, creating tools that enable them to push out patches more directly. 

"While these technologies provide a more autonomous development experience, they do not meet the same security standards that Apple has attempted to maintain. Worse, these methods might be the Achilles heel to the walled garden of Apple’s App Store."

Today, FireEye published the first installment of a series of investigations into these tools. The security firm kicked off the series with a study of JSPatch, an open-source project built on Apple's JavaScriptCore framework. Apps with JSPatch embedded within them can directly roll out patches using JavaScript, without having to go through Apple's runaround again.

JSPatch is currently in use by 1,220 apps in the App Store, mostly in China. None of these apps are malicious, according to FireEye, but the potential to use the JSPatch tool for nefarious purposes remains. 

FireEye poses three different scenarios in which JSPatch could be manipulated:

1. A malicious developer embeds JSPatch in a seemingly innocuous app, gets it approved by Apple, then pushes malicious JavaScript to "patch" users' apps later.

2. A malicious ad SDK creator embeds JSPatch into the SDK. Innocent app developers use that SDK in their apps, and the SDK developer pushes malicious JavaScript to users via the app later.

3. A man-in-the-middle attacker takes advantage of poorly secured client-server communications to intercept and modify the JavaScript sent from app developers to users.

It's a familiar situation for IT professionals -- if impatient users aren't satisfieand with the tools you've provided or the restrictions you've placed them under, they'll find new tools and work around your restrictions. That rule even follows to the well-meaning, security-minded app developers.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/1/2016 | 12:16:11 PM
Re: JSPatch is Cool, Make No Mistake
@Christian Bryant   It's a great point. With any kind of vulnerability disclosure you're doing a balancing act and running a risk -- are you helping the good guys, the bad guys, or both? When you're disclosing a potential threat in a security tool, you're taking that conflict a step further, adding the risk that people will cease using a security tool that is actually helpful the majority of the time.

Of course, you wouldn't need JSPatch at all if Apple were significantly faster with their process, would you? Is JSPatch kind of like that "shadow IT" problem enterprise IT people are always struggling with?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2016 | 10:52:18 AM
Re: JSPatch is Cool, Make No Mistake
"...I wonder how calling out JSPatch could harm similar cool apps that are trying ..."

I hear you. When you have this much powerful tool in client devices there is always opportunity to exploit it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2016 | 10:49:03 AM
Re: JSPatch is Cool, Make No Mistake
"...JSPatch bridges Objective-C and JavaScript using the Objective-C runtime. ..."

This would be a quite powerful. I wonder how Swift  and JSPatch would interact.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2016 | 10:45:47 AM
Re: Difficult
"...security will reduce the ease of use and vice versa ..."

That might be true, there is always alternatives to balance ease of use and security/privacy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2016 | 10:44:02 AM
Re: Difficult
"This is the age old difficult war between security and ease of use. One will always suffer for the other."

Agree. The security should always be about the balance of CIA: Confidentiality, Integrity and Availability.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2016 | 10:41:59 AM
XCodeGhost?
 

This was not really vulnerability of iOS, it is the lack of attention of developers, nobody should be downloading an important development enywhere but Apple related sites.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/28/2016 | 6:22:47 PM
JSPatch is Cool, Make No Mistake
I think JSPatch is cool, make no mistake.  Just look at the synopsis from the project page:  "JSPatch bridges Objective-C and JavaScript using the Objective-C runtime. You can call any Objective-C class and method in JavaScript by just including a small engine. That makes the APP obtaining the power of script language: add modules or replacing Objective-C code to fix bugs dynamically."

Now, why wouldn't an app developer want to embed something like this in their app?  I'm generally one to err on the side of caution, but with such a cool app at stake, now I wonder how calling out JSPatch could harm similar cool apps that are trying to do good and useful tech?  I highly recommend everyone check out GitHub, user bang590 and help improve the project so this and similar projects aren't harmed by premature cautions thrown out by security analyst groups.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/28/2016 | 3:43:13 PM
Re: Difficult
Very much agree. I think its important to note, in most cases, security will reduce the ease of use and vice versa. But I like to think that there is an easy way to do things and there is a right way to do things. People tend to choose ease of use until they get burnt then their stances tend to shift.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
1/28/2016 | 7:42:10 AM
Difficult
This is the age old difficult war between security and ease of use. One will always suffer for the other. Education is the key to making both work more efficiently though, so better practices for developers and users could fix a lot of the issues created by an over abundance of one or the other.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers