Security Risks for iOS Apps That Use Alternate Solutions for Hot Patching

Nothing comes free. There is always a give and take with anything and the iOS app store is no exception. With such an inherently closed ecosystem the benefits for users include the relative assurance that, from a security standpoint, iOS apps are safe to use.

This is a benefit for iOS app publishers as well as their apps profit from the halo affect this perception provides. That not withstanding, the process for publishing a new release or providing a patched version of an app can involve jumping through a lot of hoops and can be a pain for developers.

There are now solutions out there that provide an alternative to this process, however while they may be more convenient to use, they can provide significant pitfalls from a security standpoint.

To evaluate the situation, FireEye mobile security researchers are publishing a series of articles that examine the security risks of iOS apps that employ alternate solutions for hot patching and provide advice on how to prevent unintended security compromises.

In the first installment of the series they extensively examine the open source solution JSPatch, which is built on top of Apple’s JavaScriptCore framework. As the authors of the article point out:

JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes. Specifically, if an attacker is able to tamper with the content of JavaScript file that is eventually loaded by the app, a range of attacks can be successfully performed against an App Store application.