"Exposure" Apple App Store over thousands iOS app storage security vulnerability

According to foreign web site IBTimes reports, well-known cyber security company FireEye recently warned that because of a "jspatch", can help developers to modify the application of software on the existence of security vulnerabilities, The 1000 + iOS apps in the Apple App Store that use the framework are at risk of hacking. FireEye says 1220 apps in Apple's iOS App store may be affected. FireEye has not disclosed the specific names of these apps, but has notified the developers of these applications. FireEye warns that while Jspatch technology is useful for iOS development, it can pose a significant risk to users if exploited by hackers.

It is reported that the open source software jspatch on the security loopholes, can cause hackers random access to the user's device photos, microphones and clipboard data and other privacy-related features.

Jspatch Frame

Open Source Tools Jspatch originally from China. Since its release in 2015, which has been favored in the Chinese market, many popular and high-profile Chinese Apple applications have used this technology, but FireEye found that developers outside China have also used the technology framework.

FireEye pointed out that the Jspatch framework could allow attackers to effectively circumvent the Apple App Store review process and allow attackers to arbitrarily enforce programs on compromised devices, and any anti-virus tool would be difficult to capture the framework code.

"Jspatch is a boon for iOS developers," FireEye said in a blog post. Using it correctly, you can deploy patches and update code quickly and efficiently. But the real world is not as perfect as we imagined it to be, and we have to assume that this technique is used by bad people for unexpected purposes. Specifically, if an attacker is able to tamper with the contents of a JavaScript file, it can successfully launch an attack on an app in the Apple Store. ”

FireEye says Jspatch is one of a handful of low-cost repair applications for iOS developers. Other similar products have similar potential attack threats.

How to circumvent vulnerabilities

"A cunning attacker could use the technical framework to write a legitimate and harmless application before submitting an Apple App Store review," said Josh Goldfarb, FireEye's emerging technology leader. Once approved, it will formally enter the Apple App Store, which can send illegal malicious instructions to the device. ”

As for how to circumvent the risk of jspatch, Goldsmith says: "My advice is very standard: Download only the apps you need, and you know, you trust." Beware of apps that ask you for permission to access. Remember to provide access only to those apps that you think you must have. ”

For iOS users, this is not the first time a large area of application vulnerability is compromised. In October 2015, security research company SourceDNA discovered hundreds of iOS users ' privacy information, violating Apple's security and privacy guidelines. This is only one months after the malicious code XcodeGhost attacked the Apple App Store.

In explaining the phone's vulnerability, Goldsmith said: "Mobile devices are an attack target that attackers prefer, because they lack security compared to laptops and desktops." In the future we will see more and more malicious attacks against mobile environments. Attackers will divert attention to where money is gathered, so we'll see more attacks on mobile devices. ”

visit: Apple Online Store (China)

"Exposure" Apple App Store over thousands iOS app storage security vulnerability