Increasingly popular update technique for iOS apps puts users at risk

JSPatch could allow malicious developers to bypass Apple's strict application review process and access restricted iOS functions

An increasing number of iOS application developers use a technique that allows them to remotely modify the code in their apps without going through Apple's normal review process, potentially opening the door to abuse and security risks for users.

The technique is a variation of hot patching, which is a way of dynamically updating a system or application without restarting it. In this case, an iOS application is updated without the developer having to submit a new version to the official iOS app store and then wait for Apple's review of the changes, which can be a lengthy process.

An implementation of this hot patching method comes from an open-source project called JSPatch, which provides an engine that app developers can integrate into their apps and which bridges JavaScript code to Objective-C, the programming language used by iOS apps.

For example, after adding the JSPatch engine to their application, which requires just 7 lines of code, developers can configure the app to always load JavaScript code from a remote server they control. This code is then interpreted by the JSPatch engine and converted into Objective-C.

"JSPatch is a boon to iOS developers," security researchers from FireEye said in a blog post. "In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes."

The problem is that hot patching is at odds with the iOS security model, which partially draws its strength from Apple's walled garden, its carefully controlled app store.

There are some security-related restrictions that Apple imposes on third-party apps and which are solely enforced through the app store review process. JSPatch allows developers to bypass such policies.

For example by using this method, an app could access some iOS APIs without having declared them when it was first submitted and accepted into the app store. It can also access restricted APIs that only Apple applications are allowed to use.

An app could change system settings, enumerate account types on the device, collect the metadata of pictures in the photo album or access information stored in the pasteboard, the FireEye researchers said. There are currently some limitations to what attackers can do, but these limitations can easily disappear if the JSPatch developers choose to expose additional C functions or if app creators make some changes to the engine themselves, they said.

There are a few possible scenarios for JSPatch abuse. The most straightforward one would involve a developer who is intentionally malicious and leverages JSPatch to avoid his rogue code being detected by Apple.

Another one would be though an advertising network that implements JSPatch into its SDK (software development kit). If app developers would then include such an advertising SDK into their apps, it would give the advertising network the ability to abuse iOS APIs through their apps.

A third scenario would involve a JSPatch-enabled app downloading the remote JavaScript code over an unencrypted connection. This would allow an attacker who is in a position to intercept the app's traffic -- like on an open wireless network or through a hacked router -- to modify the JavaScript code en route.

"The JSPatch technology potentially allows an individual to effectively circumvent the protection imposed by the App Store review process and perform arbitrary and powerful actions on the device without consent from the users," the FireEye researchers concluded. "The dynamic nature of the code makes it extremely difficult to catch a malicious actor in action."

Join the CSO newsletter!

Error: Please check your email address.

More about AppleApple.FireEye

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts