Skip to main content

Apple's iOS still more secure than Android despite spoof of App Store

posted onAugust 19, 2013
by l33tdawg

A paper presented at last week's USENIX Security Symposium in Washington described how a group of security researchers at Georgia Tech were able to create a "novel method of attack" that can defeat the mandatory software review and code-signing mechanisms defending apps in the Apple App Store. The title of the paper was Jekyll on iOS.

    The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.

    We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.

Source

Tags

Apple iOS Android Security

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th