Hot-Patching Tools Another Crack In Apples Walled Garden

  /     /     /  
Publicated : 22/11/2024   Category : security


Hot-Patching Tools Another Crack In Apples Walled Garden


Researchers at FireEye investigate how the tools some iOS developers use to push out patches more quickly are themselves a threat to Apple security.



FireEye researchers are investigating another crack in the walled garden of Apples secure development environment -- one that affects non-jailbroken iOS devices. Ironically, the hot-patching tools some app developers use to quickly push out security updates when they find Apples official reviewal/approval process too sluggish could themselves be a threat to security, 
researchers wrote today
.
Non-jailbroken iOS devices first took a hit in September, when XCodeGhost managed to sneak Trojanized iOS apps into the official App Store. Instead of going after users directly, XCodeGhost used innocent developers as a pawn in their scheme, tricking them into writing their apps with a malicious version of the XCode application development software. 
[Read more on XCodeGhost and everything else you need to know about recent fissures in the walled garden in Dark Readings
The State of Apple Security.
]
FireEye researchers say hot-patching tools pose a similar threat.
To protect users from the dangers of the unknown, Apple makes all apps go through a review process before they are allowed onto the official App Store in the first place. From the researchers blog today:
While the process is intended to protect iOS users and ensure apps meet Apple’s standards for security and integrity, developers who have experienced the process would agree that it can be difficult and time consuming.
The same process then must be followed when publishing a new release or issuing a patched version of an existing app, which can be extremely frustrating when a developer wants to patch a severe bug or security vulnerability impacting existing app users.
Although this subsequent process isnt as long as the initial one, it takes, on average, seven days before the updated code is approved. To avoid the delay, developers have begun to come up with ways around the system, creating tools that enable them to push out patches more directly. 
While these technologies provide a more autonomous development experience, they do not meet the same security standards that Apple has attempted to maintain. Worse, these methods might be the Achilles heel to the walled garden of Apple’s App Store.
Today, FireEye published the first installment of a series of investigations into these tools. The security firm kicked off the series with a study of JSPatch, an open-source project built on Apples JavaScriptCore framework. Apps with JSPatch embedded within them can directly roll out patches using JavaScript, without having to go through Apples runaround again.
JSPatch is currently in use by 1,220 apps in the App Store, mostly in China. None of these apps are malicious, according to FireEye, but the potential to use the JSPatch tool for nefarious purposes remains.  
FireEye poses three different scenarios in which JSPatch could be manipulated:
1. A malicious developer embeds JSPatch in a seemingly innocuous app, gets it approved by Apple, then pushes malicious JavaScript to patch users apps later.
2. A malicious ad SDK creator embeds JSPatch into the SDK. Innocent app developers use that SDK in their apps, and the SDK developer pushes malicious JavaScript to users via the app later.
3. A man-in-the-middle attacker takes advantage of poorly secured client-server communications to intercept and modify the JavaScript sent from app developers to users.
Its a familiar situation for IT professionals -- if impatient users arent satisfieand with the tools youve provided or the restrictions youve placed them under, theyll find new tools and work around your restrictions. That rule even follows to the well-meaning, security-minded app developers.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hot-Patching Tools Another Crack In Apples Walled Garden