Apple succeeds where security failed with web developers

Interesting article today some malware with the linkbait title "The mother of all Android malware has arrived". It involves the malware writer downloading over 50 free applications from the Android appstore, adding a trojan to them, repackaging them and releasing them for download. Aided by the fact they were existing applications, it is reported there were between 50,000-200,000 downloads in over 4 days (it took Google that long to shut down the malware spreading applications). The trojan used a root exploit and allowed stealing of data as well as opening up a back-door for download of further malware.

There is some really good discussion on comparison of the Apple vs. Google approaches to their respective appstores on Hacker News. What struck me the most though was how Apple's review process appears to have succeeded where security professionals have failed for years with developers.

There is some great discussion on the HN comments about the Apple review process. I think fair to say that the process is not infallible and there are some good examples of how malware could potentially be allowed through:

Using a dynamic binding that is not detected during static analysis:
"You need a message name (@selector), and the names are strongly typed
What do you mean by strong typing here? AFAIK ObjC has dynamic binding, which means you can send the same message to a different object based on a condition. So from what I see, you can pretend you're sending a message to an internal object, but then switch the object out for an external one later. 
A "timebomb" - code that executes after a period of time or based on a specific condition not triggered during the review process:
A time bomb needs a callback in the binary 
Nope. You read the current time in at startup, to, I don't know, display to the user, then at some later point, after enough obfuscation and misdirection, innocuously check if the number you got back was past 1335830400. 
and then the app needs to actually do something if the response comes back as 1,000. Which means that code needs to be in the binary. 
But the response won't be 1,000. The response will have lots of data you'd send otherwise, then an innocuous-sounding string like, I don't know, "true" or something, tacked on at the end, and you'll have a check for the end of the string being "true" buried somewhere deep within your code, which is where you'll switch the object out."
However 10 Billion app downloads later, we are yet to see malware like the above spread on the iOS platform. While this does not mean we could not see it tommorow or the day after as iOS gains greater marketshare and more high value applications such as banking and stock trading moves to mobile, it is an impressive record.

A great deal of the credit for this has to go to the strict Apple review process. They have succeeded where security professionals have failed for years with web developers. By implementing even "just" static analysis of code and making developers aware that their app will get rejected if they fail this testing, Apple has raised the bar on security and quality of code.

Compare this to web applications; cross site scripting (XSS) has been known about for donkeys years, great guidance has existed on preventing XSS for a similar amount of time but you still get a SECURITY application like Lastpass having a basic XSS vulnerability. Security professionals have been trying for years to implement secure development lifecycle disciplines. Practices such as a static and dynamic code analysis on every project prior to going live. But with studies like this finding 72% of their sample group not applying security at source and clearly with Lastpass as a case in point, we are not succeeding.

The truth appears that without a central gatekeeper like Apple these types of security practices will never be implemented ubiquitously. This is perhaps one of the greatest security benefits of software distribution moving to the Appstore type model and I hope that Google implements at least a minimal process of source code review, corporations can then follow suit.

No comments:

Post a Comment


Written by