When it comes to security generally most would agree that iOS is one of the most secure operating systems of the planet. Despite the fact new vulnerabilities are being discovered on what is seemingly a consistent basis this is really only because security specialists are drawn to iOS for a challenge. And when you look at the amount of flaws within Android, iOS looks like a knight in shining armor when it comes to security.
At least it did before a press release was put out by Georgia Tech last week that detailed work by researcher Billy Lau and his team.
So just what did Lau and his team discover?
Well they discovered a serious flaw that allows pretty much anyone to sneak malicious software past Apple’s review team without you being aware of anything.
Wang’s approach hides malicious code that would otherwise get rejected during the Apple review process. Once the malicious app passes review and is installed on a user’s device, it can be instructed to carry out malicious tasks.
To prove that this works Wang’s team developed a proof-of-concept attack, called Jekyll, which rearranges its own code to create new functionality that is not exhibited during Apple’s approval process.
This apparently allows the malicious aspects of the app to remain undetected when reviewed and therefore obtain Apple’s approval.
Wang and his team actually was able to prove that “despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge.”
Luckily Apple actually responded to the discovery of the vulnerability and are actively working on a way to address the issue in a future firmware update (likely iOS 7). Still it is a pretty scary discovery to say the least…