iOS security weaknesses uncovered

Two security weaknesses that could allow attackers to install malware onto Apple mobile devices, using apps and peripherals, have been uncovered.

Researchers from Georgia Tech Information Security Centre, who found the flaws, say the weak points allow attackers to bypass Apple's security systems. The full findings were presented this week during the Black Hat conference, in Las Vegas.

Associate director of the centre, Paul Royal, said Apple makes use of a "mandatory app review process to ensure that only approved apps are allowed to run on its devices".

Researcher Tielei Wang managed to hide malware that would usually be rooted out during the company's review process. However, once he sneaked malware through this process and installed on the device, it was able to start doing some serious damage.

The proof-of-concept attack developed by Wang and his team, called Jekyll, "rearranges its own code to create new functionality" that is not displayed in the approval process. In this way, the dangerous aspects of the app are obfuscated when reviewed, and pass through the review process undetected.

"We were able to successfully publish a malicious app and use it to remotely launch attacks on a controlled group of devices," says Wang. "Our research shows that, despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending e-mail and SMS, and even attacking other apps - all without the user's knowledge."

Fellow researcher Billy Lau tried something completely different, and investigated "the extent to which security threats were considered" when conducting daily tasks like charging the device. He and his team developed a proof-of-concept "malicious charger" that needed only a small, cheap, single-board computer.

Once plugged in to a device, the charger secretly installs a malicious app onto the handset.

Dubbed Mactans, Lau said it could easily be built to resemble a legitimate iPhone or iPad charger.

According to Lau, Mactans was able to install arbitrary apps within one minute of being plugged into the device, completely bypassing Apple's "plethora of security measures". He added that all users are affected, as his approach does not require the device to be jailbroken, nor does it need user interaction.

The teams both advised Apple of these weaknesses, and Apple subsequently introduced a feature in iOS7 that will let users know should a peripheral they plug into try to establish a data connection. Reuters reports that Apple's devices are vulnerable to attacks until the company releases the iOS 7 software update, which is scheduled for later this year.

Apple is also looking for ways to address the Jekyll problem, but has not yet released a solution.

Although only proof-of-concept, the research has revealed significant flaws in Apple's protocols, which is not too surprising as the company has long been accused of having a lackadaisical attitude towards security.

The last few weeks have seen a stepping-up of malicious activity against Apple.

Two weeks ago, ITWeb reported that Apple's developer site was still down, following a serious hack that may have exposed developers' names, mailing addresses, and/or e-mail addresses. A Turkish hacker claimed responsibility, and said he only hacked the site as he was frustrated with Apple for ignoring several reports he had submitted to the company on bugs he had found.

Also within the last couple of weeks, a strain of Federal Bureau of Investigation-themed ransomware targeting Apple users was discovered. The malicious code hijacked Safari and demanded several hundred dollars to release it. Although Windows users have been plagued by ransomware for years, cyber crooks are waking up to the growing Apple market, and taking advantage of the "security is not an Apple problem" attitude that many of its users have.

Another piece of spyware for Apple OS X reared its head about two weeks ago. ITWeb reported on Janicab.A, which employed a special unicode character in its file name to disguise malicious installations as standard files, and trick users into installing them.

Again, the ploy is not new for Windows users, but a first for Apple. Once the malware is opened, it triggers a standard Mac OS X pop-up dialogue, warning the user that the file was downloaded from the Internet. The trick it uses shows the warning written right to left, making it difficult to read. Once opened, janicab.A installs itself in a hidden file in the home directory, and opens a pdf document that presents itself as a Russian news article.