Security Risks for iOS Apps That Use Alternate Solutions for Hot Patching
Thursday, February 18, 2016
Richard Harris |
Nothing comes free. There is always a give and take with anything and the iOS app store is no exception. With such an inherently closed ecosystem the benefits for users include the relative assurance that, from a security standpoint, iOS apps are safe to use.
This is a benefit for iOS app publishers as well as their apps profit from the halo affect this perception provides. That not withstanding, the process for publishing a new release or providing a patched version of an app can involve jumping through a lot of hoops and can be a pain for developers.
There are now solutions out there that provide an alternative to this process, however while they may be more convenient to use, they can provide significant pitfalls from a security standpoint.
To evaluate the situation, FireEye mobile security researchers are publishing a series of articles that examine the security risks of iOS apps that employ alternate solutions for hot patching and provide advice on how to prevent unintended security compromises.
In the first installment of the series they extensively examine the open source solution JSPatch, which is built on top of Appleās JavaScriptCore framework. As the authors of the article point out:
JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes. Specifically, if an attacker is able to tamper with the content of JavaScript file that is eventually loaded by the app, a range of attacks can be successfully performed against an App Store application.
Read more: https://www.fireeye.com/blog/threat-research/2016/...
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here