In a much-publicized recent case, scientists at Georgia Tech managed to get a specially crafted app that could perform all sorts of malicious activities app--aptly named Jekyll--onto the App Store, bypassing every single security measure put in place by Apple to protect its users.
That's no small achievement: Apple has gone to great lengths to ensure that users of its mobile operating system feel safe when they use their devices for everyday activities from browsing the Web to updating their banking accounts. By enforcing a stringent set of rules that determine which software can and cannot run on its devices, the company has, for the most part, managed to keep its customers safe from malicious software.
Sure, the odd app containing features that violate the company's rules does get through from time to time, but serious breaches are extremely rare. Still, hackers and security researchers continue to prod at iOS in an attempt to circumvent its security framework.
For its part, the Cupertino giant is hardly sitting still: The security behind its operating systems continues to evolve, creating additional layers of protection that affect everything from the way apps are developed to the way they run.
In the beginning, there was App Review
The first line of defense for app security is the review process, during which each app is manually tested to ensure that it doesn't crash in any obvious way and that it conforms to all the appropriate App Store rules.
Before landing on the App Store, all apps are manually reviewed by Apple for flaws and malware. The large number of submissions, combined with the need to approve updates in a timely manner, conspire to make this process somewhat mistake-prone.
As part of this vetting exercise, Apple employees also run a special static analyzer on the app's binary code to see whether it makes use of private functionality that's normally off-limits to developers. This important step allows the company to determine, for example, if the code attempts to surreptitiously make phone calls, send SMS messages, or even access the contacts database without the user's permission.
Despite having been largely successful at keeping malware out of the App Store, the review process has its limits. Faced with vetting hundreds of software titles every week, the reviewers can dedicate only a limited amount of time to each app, which means that they may miss issues that only crop up after a certain amount of use, or in response to external events. In the case of the Georgia Tech attack, for example, the Jekyll app was crafted in such a way that the malicious code would kick in only when a special message was delivered over the Internet, making it very hard for the app review process to highlight any potential flaws.
Sign up for Computerworld eNewsletters.