Security Risks for iOS Apps That Use Alternate Solutions for Hot Patching

Posted 2/18/2016 10:05:29 AM by RICHARD HARRIS, Executive Editor

Security Risks for iOS Apps That Use Alternate Solutions for Hot Patching
Nothing comes free. There is always a give and take with anything and the iOS app store is no exception. With such an inherently closed ecosystem the benefits for users include the relative assurance that, from a security standpoint, iOS apps are safe to use.

This is a benefit for iOS app publishers as well as their apps profit from the halo affect this perception provides. That not withstanding, the process for publishing a new release or providing a patched version of an app can involve jumping through a lot of hoops and can be a pain for developers.

There are now solutions out there that provide an alternative to this process, however while they may be more convenient to use, they can provide significant pitfalls from a security standpoint.

To evaluate the situation, FireEye mobile security researchers are publishing a series of articles that examine the security risks of iOS apps that employ alternate solutions for hot patching and provide advice on how to prevent unintended security compromises.

In the first installment of the series they extensively examine the open source solution JSPatch, which is built on top of Appleā€™s JavaScriptCore framework. As the authors of the article point out:

JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes. Specifically, if an attacker is able to tamper with the content of JavaScript file that is eventually loaded by the app, a range of attacks can be successfully performed against an App Store application.

Read More


About the author: RICHARD HARRIS, Executive Editor

As the Publisher and Editor for App Developer Magazine, Richard has several industry recognitions and endorsements from tech companies such as Microsoft, Apple and Google for accomplishments in the mobile market. He was part of the early Google AFMA program, and also involved in the foundation of Google TV. He has been developing for mobile since 2003 and serves as CEO of Moonbeam Development, a mobile app company with 200 published titles in various markets throughout the world. Richard is also the founder of LunarAds, a mobile cross-promotion and self-serv mediation network for developers. He has been a featured presenter at trade-shows and conferences, and stays active with new projects relating to mobile development.

Subscribe to App Developer Daily

Latest headlines delivered to you daily.