In August, researchers at Georgia Tech announced that they had managed to circumvent the security checks of the Apple App Store with a malicious app they called Jekyll. Presenting their findings, they questioned whether Apple’s use of static analysis tools was sufficient security screening for new App Store entries.
At the same time, Apple’s security approach is clearly doing something right: Of the 108 mobile malware programs discovered in 2012, 95 percent targeted Android, according to Symantec. Apple’s review process offers a view of how static analysis works to vet software security and how it might be strengthened with manual code review.
Apple’s App Store is known for its security and thorough approach to reviewing all apps that are submitted, Macworld’s Marco Tabini explained in a recent article. Each app is manually tested, and all submissions are subjected to static analysis to determine whether the app attempts to use any off-limits functionalities or to carry out actions it doesn’t claim to, such as making calls or sending text messages without the user’s permission.
How Jekyll worked
According to the Georgia Tech research team’s monitoring of the Jekyll app, Apple only ran it for a few seconds before approving it. This brief look failed to catch the app’s trick, which was that it was designed to download additional code from a remote server after installation and rewrite itself to contain malicious functions that would not have been approved.
In addition to its review process, Apple is normally able to prevent this kind of process after installation through application sandboxing, which prevents apps from accessing information in other apps or directly downloading additional code, Tabini noted. But by breaking the dangerous elements down into innocuous, approved functions like the permissions to access a webpage or email a contact and assembling them after installation, Jekyll could avoid detection.
“The app did a phone-home when it was installed, asking for commands,” Long Lu, a researcher at Stony Brook University who was part of the Georgia Tech team, told MIT Technology Review. “This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed.”
Tabini compared the attack to a “MacGyver-like terrorist” building a weapon out of harmless components, noting that even similarly constructed attacks that contained several malicious pieces designed for reconstruction would likely be caught by static analysis software. But for an app that works like Jekyll, more may be needed.
“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu told MIT Technology Review.
So how good is static analysis?
Pairing their research with that of another Georgia Tech team that found a way to hack iOS devices using a bogus charger, the researchers challenged the assumption that iOS devices were inherently safe and called for stronger security checks on Apple’s part. However, as Tabini noted, Apple’s security process is already very strong. The likelihood of an application sneaking past automated source code analysis is generally very slim.
One way to make iOS apps even safer, though, would be for Apple to expand its use of entitlements, Tabini wrote. Entitlements, which extensively regulate how signed apps can access different parts of the system and different types of information, are already common in OS X, and they are likely to be expanded in future mobile OS releases. By implementing entitlements, Apple can push developers to disclose more of what their apps actually do and – critically – give itself some automatic flags to know when to carry out a more extensive manual code review (i.e. when an app includes certain types of entitlements).
The discussion around Apple’s security vetting is also instructive for organizations looking for security weaknesses or bugs in their own applications. While static analysis tools provide an excellent first line of defense, they are most effective when paired with code review practices that ensure each piece of the program comes under human eyes and is vetted for problems that might not manifest themselves until well after installation.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.