FireEye researchers are investigating another crack in the walled garden of Apple's secure development environment -- one that affects non-jailbroken iOS devices. Ironically, the hot-patching tools some app developers use to quickly push out security updates when they find Apple's official reviewal/approval process too sluggish could themselves be a threat to security, researchers wrote today.
Non-jailbroken iOS devices first took a hit in September, when XCodeGhost managed to sneak Trojanized iOS apps into the official App Store. Instead of going after users directly, XCodeGhost used innocent developers as a pawn in their scheme, tricking them into writing their apps with a malicious version of the XCode application development software.
[Read more on XCodeGhost and everything else you need to know about recent fissures in the walled garden in Dark Reading's "The State of Apple Security."]
FireEye researchers say hot-patching tools pose a similar threat.
To protect users from the dangers of the unknown, Apple makes all apps go through a review process before they are allowed onto the official App Store in the first place. From the researchers' blog today:
"While the process is intended to protect iOS users and ensure apps meet Apple’s standards for security and integrity, developers who have experienced the process would agree that it can be difficult and time consuming.
The same process then must be followed when publishing a new release or issuing a patched version of an existing app, which can be extremely frustrating when a developer wants to patch a severe bug or security vulnerability impacting existing app users."
Although this subsequent process isn't as long as the initial one, it takes, on average, seven days before the updated code is approved. To avoid the delay, developers have begun to come up with ways around the system, creating tools that enable them to push out patches more directly.
"While these technologies provide a more autonomous development experience, they do not meet the same security standards that Apple has attempted to maintain. Worse, these methods might be the Achilles heel to the walled garden of Apple’s App Store."
JSPatch is currently in use by 1,220 apps in the App Store, mostly in China. None of these apps are malicious, according to FireEye, but the potential to use the JSPatch tool for nefarious purposes remains.
FireEye poses three different scenarios in which JSPatch could be manipulated:
It's a familiar situation for IT professionals -- if impatient users aren't satisfieand with the tools you've provided or the restrictions you've placed them under, they'll find new tools and work around your restrictions. That rule even follows to the well-meaning, security-minded app developers.