A group of researchers successfully slid malware past Apple’s safeguards and into the iOS App Store — a scary exposure for the operating system often touted as one of the safest in the industry.
These developers, who presented their findings at the USENIX conference last week, created what they call a “Jekyll app” (yes think, Dr. Jekyll and Mr. Hyde). You can remotely control and reconfigure the app, which means it goes through Apple’s review process looking like one app but can change once inside your phone.
Those looking for a secure smartphone have turned to iOS devices because they only support apps downloaded from Apple’s App Store, which has a relatively intense review process. The company checks every app that enters the system and further isolates apps in a “sandbox,” where their actions and access to the rest of the system is restricted.
The group figured out a way to “rearrange signed code” once the App Store has already approved it. This means once in the system, the team can mess around with the “control flows,” or the information given to the app that makes it execute a particular action. From there, the Jekyll app can steal your device information, send tweets and emails, take photos, and even attack other apps on the phone despite being in a sandbox.
After getting the app approved, the research team quickly downloaded it and removed it from the App Store to make sure no one outside the test installed it. They say they have data to prove it was contained.
Apple, according to Technology Review, says it has made some changes to the OS after reviewing the research. Researcher Tielei Wang told The Guardian that this could be solved with stricter sandbox policies.