FireEye report identifies iOS security storm-in-a-tea-cup

FireEye researchers have released a report which details potential security issues with software used to dynamically patch iOS apps.

FireEye, the California based security company
FireEye, the California based security company

FireEye researchers have released a report which details what they are calling a “serious security risk for iOS users” due to a system used by app developers to speed the process of patching apps in the iOS App Store.

The software in question, JSPatch, is an open-source solution used by app developers as a way to speed up Apple's review process for patching apps. JSPatch bridges Objective-C (which iOS apps are written in) and JavaScript using the Objective-C runtime. You can call any Objective-C class and method in JavaScript by just including a small engine in an app. This allows the developer to patch Objective-C code to fix bugs dynamically.

FireEye it saying JSPatch can be exploited by hackers to change things like cellular service status, remotely access and export personal photos from an iOS device and even the use iOS Pasteboard to copy and paste content between different iPhone apps to then copy and export personal data from an iOS device.

The report says that currently only 1220 apps use the software of Chinese origin. To give that number some perspective - Statista estimates that currently says that there are roughly 1.5 million apps in the iOS app store which means apps using JSPatch equate to just under a percent of all the apps available worldwide.

Speaking to SCMagazineUK.com, Sarat Pediredla, CEO of Hedgehog Lab, a London-based app development company said that, “If you look at the website appreviewtimes.com, the average time it says Apple takes to approve a revision of an app into the iOS App Store, is currently listed as five days.” He goes on to explain that, “We're aware of JSPatch, and despite the benefits it gives to us as an app development company which would save us time and money, we choose not to use it because of the security issues it could lead to”.

The researchers at FireEye go on to say that, “It is a general belief that iOS devices are more secure than mobile devices running other operating systems …. [Apple's ability] to provide and maintain a secure ecosystem for iOS users and developers [stems from] their walled garden – the App Store. Apps distributed through the App Store are significantly more difficult to leverage in meaningful attacks.”

However, FireEye is also quick to dismiss Apple's review times, citing developers who have called them “difficult and time consuming”.

Kasper Welner, lead iOS developer for Danish app development agency Nodes spoke to SC and said that, “I was not aware of [JSPatch] and I was surprised to find [Apple] would allow for remote code executions”. He went on to explain that, “I definitely think that using something like this is a good idea for us as an agency - it would get you out of a situation where you launched an app with a critical bug and have an angry client on the end of the phone quite quickly. However, Apple does offer an expedited review process where you can say that there is a critical bug in the software and they generally review the code within about 48 hours, so JSPatch becomes kind of unnecessary”.

Josh Goldfarb, CTO of Emerging Technologies at FireEye spoke to SC and recognised that, "Although the number of apps using this is relatively small in comparison to the total amount of apps in the iOS App Store, some app developers might want to take a short-cut in the process of getting a revision of their app approved and use something like JSPatch. This would mean that people need to be aware of the risks of using it".