A new iPhone warning has been issued following research into iOS app security. Apple’s iOS operating system has always been considered more secure than rival Google Android’s. Apple owns the hardware, software and platform in a closed ecosystem with much less fragmentation that its rival.
However, in iOS 17.4, that is going to transform for EU users, as Apple is about to launch seismic changes to its App Store and ecosystem to enable sideloading in line with new regulation the Digital Markets Act.
This change, due to launch next week, has become part of a new warning issued by security researchers following a report looking into iOS app security.
The report, The State of iOS App Security by Promon, investigated specifically if iOS apps can defend against repackaging attacks. These see an adversary obtain a copy of an app, modify it and maliciously repackage it to successfully run on a device.
Repackaging is “one of the most critical risks to address” when platforms allow sideloading, Promon researchers said.
To conduct its research, Promon tested 100 of the world's most-downloaded apps for iOS, according to SensorTower. Combined, these apps were downloaded more than 4.7 billion times over the past year, according to SensorTower.
Of the 100 apps, 93 (93%) ran repackaged. Of the seven (7%) that did not run, two apps crashed for reasons other than detecting that the app had been repackaged. The other five apps crash for undetermined reasons, which could include that they detected the repackaging, Promon said.
“Given the results from 100 of the world’s most actively downloaded apps, it seems safe to conclude that many iOS apps themselves have minimal protections against repackaging,” the Promon report said.
“The introduction of sideloading on iOS, along with the risks associated with third-party app stores, is akin to rolling out the red carpet for a new wave of malware, Trojans and bogus apps,” said Benjamin Adolphi, head of security research at Promon.
“As we brace for this new era of heightened risk, it's imperative that Apple implements far greater repackaging prevention strategies to mitigate the proliferation of fake apps before they wreak havoc on unsuspecting users.”
All iOS apps are encrypted when distributed through the App Store. However Promon’s report determined that iOS app encryption is “quite trivial to bypass.”
An attacker trying to repackage an app needs it to be unencrypted to modify it and distribute it further. “There are different solutions, but the easiest is to install and run the encrypted app on an iOS device,” Promon said. When iOS launches the app, it is decrypted into memory, and the attacker can dump the unencrypted memory and patch it back into the original application. “This results in a fully unencrypted app that can then be modified,” Promon added.
This should not be possible on a normal iOS device: The user or any application running on the iOS system should be unable to access the memory on an arbitrary app installed from the App Store. It is, therefore, necessary to compromise the device “to a certain degree” to be able to gain that capability, Promon said.
However, to access the memory of an app to be able to modify it, a full jailbreak is not needed, Promon said. In many cases, the firm says, one security vulnerability is enough to be able to read the memory of an app.
“These bugs allow signing apps with arbitrary entitlements. This can be used to bypass the iOS sandbox to such a degree that accessing the memory of an arbitrary app is possible. Compared to a full jailbreak, this is much easier because only one vulnerability needs to be known and exploited compared to a full chain that modern jailbreaks require.”
Based on this, Promon says decrypting apps on modern iOS versions is “still very much possible”, and “developers should not rely on App Store DRM as a primary means to protecting their app.”
It’s an interesting report, and breaches of Apple app security are not unheard of—a fake version of the password manager LastPass recently made it into the App Store.
But it’s important to note that certain conditions need to be met in order for apps to be decrypted and repackaged. The issue really is that Apple opening up iOS to sideloading will increase the risk of these attacks.
“While this is just one attack vector, it highlights a current need for increased security vigilance, even if the underlying platform has safeguards in place,” Promon said.
As Promon researchers point out, Apple is putting in safeguards—the iPhone maker will continue to notarize iOS apps when the iOS 17.4 changes do come into place,“which should help mitigate some issues.”
From iOS 17.4, Apple fans in the EU will need to be careful, but there’s no need to panic. Like Android users, you need to be mindful of the apps you download and ensure you delete any you aren’t using. At the same time, ensure you apply the latest iOS updates as soon as they are released to patch any security flaws that could offer a route in.
Apple has been approached for comment and I will update this article if the iPhone maker responds.
