Application Security , Technology
Stefan Esser: Tool Passed Three Reviews But Was BootedApple's App Store can be a tricky club. Even if an app gets in, that doesn't mean the store's bouncers won't come around for it another time.
See Also: Security Shouldn't be Boxed: The Cloudified Edge & End of an Era for Hardware Box Providers
That is the case with a security tool written by noted iOS expert Stefan Esser of SektionEins, a penetration testing and security consultancy based in Cologne, Germany.
Essers' app, called System and Security Info, was designed to be a cheap tool that runs a basic survey to indicate if an iOS device has been hacked or secretly "jailbroken." Jailbreaking, a practice that Apple strongly discourages, is the term for removing iOS's security defenses that prevent the installation of apps outside of Apple's store (see Jailbreaking iOS Devices: Risks to Users, Enterprises).
The app, which cost $0.99, was in the store for about a week before Apple booted it over the past weekend. Apple officials couldn't be reached immediately for comment.
Apple generally forbids what would be considered true security applications from running on iOS. The company doesn't allow deep access into the operating system needed for certain kinds of security monitoring, which has rankled security experts.
Essers has long been a critic of Apple's security processes, claiming that the company sometimes doesn't patch the bugs it says it does. In fact, the functionality of System and Security Info depended, in part, on APIs Apple said it would close off to developers but didn't.
With the app, Essers was pushing the limits: Would Apple give his company's app a pass?
"We expected that Apple might not let the app into the store," Essers tells ISMG. "But when we went through three App Store reviews, we thought 'Wow, Apple has really changed, and they are OK with this app and do not try to hide security problems from their users anymore.' Apparently, we were wrong."
Tough to Tell: Has an iPhone Been Hacked?
It's difficult for even security professionals to figure out if an iPhone has been hacked. Because iOS is so locked down, SektionEins has resorted to using private jailbreak exploits for investigations, a method that isn't cheap. It essentially amounts to hacking an iPhone to figure out if it has been hacked.
"We, therefore, wanted to provide the public with a low-cost solution to find out if someone used one of the public jailbreaks or a customized version to hack and backdoor your device," Essers says in a blog post.
System and Security Info shows a list of running processes, which can help someone determine if an app is doing something it is not supposed to. It also looks for clues that a device may have been jailbroken using one of the known jailbreak exploits. Other signs it looks for include whether code-signing functionality has been disabled and if apps' SHA-1 hashes are legitimate.
Essers cautions that the tool isn't a replacement for a full analysis, but rather a good first sweep.
But over the weekend, Apple pulled Essers' app, saying it "provides potentially inaccurate and misleading diagnostic functionality for iOS devices to the user."
"Currently, there is no publicly available infrastructure to support iOS diagnostic analysis," according to a a statement from Apple that Esser posted via Twitter. "Therefore your app may report inaccurate information which could mislead or confuse your users."
Here. It basically says: we do not want our users to have the impression iOS could have security holes. go away. pic.twitter.com/7II1q96ZMt
System and Security Info compiled its information using APIs that Apple said last year it would close off. Apple made the changes to prevent applications from gathering information on other applications running on a system, which could be used for attack intelligence.
Essers asserts the changes, however, were only partial, and it was still possible to pull a list of running processes and other information, which has only positive security benefits.
"Apple has really bad QA [quality assurance] of security fixes, and unless this becomes more widely known and customers start to [ask] about it, they will not change," he says. "Apple still needs to get their Microsoft moment."
App Store: Largely Secure
Apple relies on a vetting process for new apps, which has largely kept its App Store free of malicious software. But there are notable exceptions.
Indeed, attackers have developed more sophisticated methods to slip past Apple's censors and appear in the store, at least for brief periods. In September 2015, more than 4,000 apps were discovered in the store that had been created with XcodeGhost, a malicious version of Apple's XCode development tool (see Apple Malware Outbreak: Infected App Count Grows).
The fake version of XCode added hidden code to an app compiled with it. Those apps could then collect information about an iOS device it was running on or open URLs. Apple quickly responded with a large sweep that removed the suspicious apps from its marketplace.