Do you know?… Any iOS app downloaded from Apple’s official App Store has an ability to update itself from any 3rd-party server automatically without your knowledge.
Yes, it is possible, and you could end up downloading malware on your iPhone or iPad.
Unlike Google, Apple has made remarkable efforts to create and maintain a healthy and clean ecosystem of its official App Store.
Although Apple’s review process and standards for security and integrity are intended to protect iOS users, developers found the process time consuming and extremely frustrating while issuing a patch for a severe bug or security flaw impacting existing app users.
To overcome this problem, Apple designed a set of solutions to make it easier for iOS app developers to push straightway out hotfixes and updates to app users without going through Apple’s review process.
Sounds great, but here’s the Kick:
Malicious app developers can abuse These solutions, potentially allowing them to circumvent effectively the protection given by the official App Store review process and perform arbitrary actions on the compromised device, FireEye has warned.
How Does JSPatch Work?
Developed by a Chinese developer, JSPatch is utilised in as many as 1,220 iOS apps in the App Store, according to researchers. Although they failed to name the apps, the researchers claim that they have already notified the app providers.
How to Exploit the JSPatch Framework?
There are two ways to abuse this framework:
If the Developer is with malicious intention.
If developer loads this framework via an unencrypted channel, allowing Man-in-the-Middle attacks.
What if the app developer has bad intention?
A malicious developer can first submit a harmless JSPatch integrated application to the Apple App Store.
"JSPatch is a boon to iOS developers," FireEye researchers said in a blog post. "In the right hands, it can be used to quickly and effectively deploy patches and code updates. However, in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes."
What if the app’s developer loads JSPatch via an unencrypted channel?
If an application developer uses JSPatch without any malicious intentions, even then the users security is at risk. The developers who load JSPatch via an unencrypted (HTTP) channel could leave communications between the client and the server unprotected.
Access to sensitive information, such as media files and the pasteboard content.
Change system properties.
Load arbitrary public frameworks into the app process.
This isn’t the very first-time iOS users are facing such problems. Last October, hundreds of iOS apps in the App Store were found collecting user’s private data while violating security and privacy guidelines of Apple.
The discovery came just a month after the XcodeGhost malware was distributed through legitimate iOS Apps via counterfeit versions of Apple’s app developer toolkit called Xcode. Here’s how to protect yourself against XCodeGhost like iOS flaws.
How to Protect Yourself?
The recommendations to protect yourself against this flaw are standard:
Download apps only from the official App Store, that you need, that you know, and that you trust.
Beware of applications that ask for an extensive amount of permissions and only grant the apps permissions that are necessary.
Manually review "everything" to discover anything malicious in your devices. Rest is up to the company if it wants to improve its application update process to make it speedier, or to allow potential attack vectors that could affect most of its apps and their users.