Patching Tool Under Scrutiny

Thursday, April 7, 2016 @ 05:04 PM gHale


There is another hot-patching solution for iOS applications an attacker could leverage to turn apps into malware.

Updates and hotfixes created by iOS application developers for software available in the Apple App Store have to go through a strict security and integrity verification process.

RELATED STORIES
Corporate iOS Devices Targeted
iOS Zero Day in iMessage Encryption
New Way to Hack iCloud Account
Abandoned App Details in Open

Since this can be a problem, especially when fixes need to be pushed out quickly, some companies and independent developers created tools that make it possible to release updates directly to users.

While these solutions can be useful as they allow developers to easily roll out fixes by adding a few lines of code to their applications, researchers at FireEye found this can also be a problem as attackers could push malicious code to apps after they pass Apple’s inspection.

In January, FireEye analyzed JSPatch, an open source hot-patching tool built on top of Apple’s JavaScriptCore framework. JSPatch is in over 1,200 apps available in the App Store.

In addition, FireEye researched a similar tool called Rollout.io and gave its analysis.

Rollout is a commercial tool that allows developers to easily debug and hot-patch their products by giving them remote code-level access to the live app. Using technologies and techniques such as debug symbol (dSYM) files, the JavaScriptCore framework, and method swizzling, Rollout enables developers to carry out a wide range of modifications.

Researchers reported identifying the use of Rollout in 245 apps found in the App Store (as of January 19), and the developer said it is currently running on 35 million devices. Unlike JSPatch, which mainly ends up used by Chinese developers, Rollout’s customer base is international and predominantly English-speaking.

FireEye published a report detailing how attackers can use Rollout and Apple’s private APIs to access a device’s camera and microphone, scan a phone to determine if a certain application is installed, make calls to premium numbers, and take screenshots.

There are two scenarios for an attack involving Rollout: The app developer is malicious, or an unwitting developer integrates a malicious third-party ad SDK into a legitimate app.

FireEye informed Rollout of its findings and the vendor is preparing a new version of its product that will prevent developers from accessing private iOS APIs and frameworks.