Installing rogue apps on iOS devices via SandJacking Attack

The security expert Chilik Tamir from Mi3 Security has devised a new attack dubbed SandJacking to install rogue apps on iOS devices.

The security expert Chilik Tamir from Mi3 Security has devised some new attack methods that can be exploited by threat actors to install malicious apps on non-jailbroken iOS devices.

Tamir presented his attack methods at the recent Black Hat Asia conference, he explained how to exploit a developer feature, the Xcode 7, recently introduced by Apple to install malware on devices.

Among the novelties introduced with the Xcode 7, there is the possibility for developers to create iOS apps using certificates that can be issued by providing an Apple ID, this means that coders just need to provide their name and an email address.

This process allows developers to create applications that do not need to be uploaded to the App Store and don’t need to pass the Apple’s application review. This kind of apps has limited abilities compared to apps that pass the Apple’s application review, for example they are not allowed to access Apple Pay, application domains, iCloud, in-app purchase features, the passbook/wallet, and they cannot use push notifications.

Unfortunately, it is important to highlight that the operations allowed to mobile apps developed with the above process are the same conducted by mobile malware. For example, these apps can access users’ data, access the address book, access the calendar and track users through their GPS positions.

The researcher Tamir released a proof-of-concept (PoC) tool called “Su-A-Cyder” that can be exploited by attackers to replace a legitimate app installed on an iOS device with a malicious version that the tool creates.

Tamir described the Su-A-Cyder as a new threat vector that can create a malicious version of legitimate apps just by connecting the victim’s device to a computer.

“Su-A-Cyder can be described as a recipe that takes one part malicious code (choose your flavor), one part legitimate app (choose your victim), one part Apple ID (anonymous), and mix together to create a new evil client app that easily installs on a non-jailbroken device.” explained Tamir. “Su-A-Cyder is not malware and it is not a vulnerability; it’s a threat vector! It is a compilation of open source technologies (e.g. Theos and Fastlane) scripted together to take advantage of Apple’s home brewed certification application program to demonstrate that anonymous evil app creation is not a myth anymore. And any legitimate application can be resigned with an anonymous Apple ID account and side loaded to a device.”

Before the release of iOS 8.3, it was easy for attackers to replace a legitimate application with a malicious version by simply assigning the malicious app a similar bundle ID and overwriting the original application.

Things changed with security measures implemented with iOS 8.3.

Tamir devised the SandJacking attack method that allowed it to bypass security countermeasures implemented starting with the iOS 8.3 and allowed him to rely on the Su-A-Cyder threat vector.

Tamir explained that the effectiveness of the SandJacking methods relies on the lack of control on the restore process. An attacker creates a backup, remove the legitimate app, install the rogue version, and then restore the backup, in this scenario the malicious app will not be removed and attacker can obtain the access only to the sandbox of the app it replaces.

Tamir presented the SandJacking attack at the Hack In The Box (HITB), during his presentation he targeted the Skype app.  Tamir announced that will release a SandJacker tool that automates the SandJacking attack after Apple will fix the issue.

The only way to spot the attack is to check the app’s certificate and the device’s provisioning settings to verify the developer’s identity.

Despite the flaw was reported to Apple in January, the company still hasn’t issued a patch.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SandJacking , hacking)