{"id":664,"date":"2010-07-21T03:38:45","date_gmt":"2010-07-21T08:38:45","guid":{"rendered":"http:\/\/vgable.com\/blog\/?p=664"},"modified":"2010-07-21T03:38:48","modified_gmt":"2010-07-21T08:38:48","slug":"sneaking-malware-into-the-app-store","status":"publish","type":"post","link":"https:\/\/vgable.com\/blog\/2010\/07\/21\/sneaking-malware-into-the-app-store\/","title":{"rendered":"Sneaking Malware Into the  App Store"},"content":{"rendered":"<p>It&#8217;s happened. An app that grossly violated Apple&#8217;s terms of service (by <a href=\"http:\/\/appshopper.com\/blog\/2010\/07\/20\/handy-light-tethering-app-camouflaged-as-flashlight\/\">enabling <em>free<\/em> tethering<\/a>) made it through Apple&#8217;s review process, onto the App Store, and into the #2 most-popular spot before being taken down. Although this app wasn&#8217;t malicious to users, it&#8217;s absolutely malicious to Apple&#8217;s agreements with AT&#038;T and other phone-companies. It is a real demonstration that <strong>Apple can&#8217;t keep malware off the App Store<\/strong>.<\/p>\n<h3>A Few Sneaky Ideas<\/h3>\n<p>It&#8217;s not hard to come up with ways to fool App-Store reviewers.<\/p>\n<p>You might just <strong>get lucky<\/strong>. With <a href=\"http:\/\/148apps.biz\/app-store-metrics\/\">over 230,000<\/a> Apps in the store, reviewers are swamped. They&#8217;re only human and they might not notice some subtle evil &#8212; especially if it&#8217;s not on <a href=\"http:\/\/appreview.tumblr.com\/\">their naughty-behavior list<\/a>.<\/p>\n<p><strong>Time-Bombs<\/strong>, apps that hide their bad-behavior for a few days, are undetectable without periodic audits, since they act normally during the pre-release review period.<\/p>\n<p><strong>Phoning home<\/strong> to a server that let&#8217;s an app know it&#8217;s passed review and can begin it&#8217;s life of crime, would let an app be even more precise.<\/p>\n<p>With just a few minutes thought, I&#8217;m sure you can think of even more clever tricks, or combination of tricks.<\/p>\n<h3>Not a Fully Open Vulnerability<\/h3>\n<p>That&#8217;s not to say your iPhone is in as much danger as your PC. iOS apps don&#8217;t have the same free-reign that traditional computer programs have. That <a href=\"http:\/\/www.mikeash.com\/pyblog\/iphone-apps-i-cant-have.html\">limits their usefulness<\/a>, but it also limits the damage they can cause. An iOS App can&#8217;t stop you from killing it, and it can&#8217;t mess with other apps, so it can&#8217;t &#8220;take over&#8221; your phone. But it can do anything it likes with your Contacts, and secretly abuse the phone&#8217;s always-on network connection, and get up to other sorts of minor mischief.<\/p>\n<p>I don&#8217;t have room here to fully analyze the risks of a rogue iPhone&#8217;s program. But generally, the danger isn&#8217;t too great: a little more than a what website can do, a <em>lot<\/em> less than what a PC program with administrator access can do.<\/p>\n<p>Ultimately, Apple&#8217;s best defense against malware isn&#8217;t control of the App Store review process or iTunes payments (although they help), but control over iOS. A well-designed operating system limits what kinds of malware are possible. The review process can screen for egregious mistakes. But it can&#8217;t catch everything, and it&#8217;s least-able to catch the most clever malware, which ultimately, are the programs we should be most worried about. Apple&#8217;s review process doesn&#8217;t provide real security against modern malware.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s happened. An app that grossly violated Apple&#8217;s terms of service (by enabling free tethering) made it through Apple&#8217;s review process, onto the App Store, and into the #2 most-popular spot before being taken down. Although this app wasn&#8217;t malicious to users, it&#8217;s absolutely malicious to Apple&#8217;s agreements with AT&#038;T and other phone-companies. It is [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[53,203,4,42],"tags":[479,167,478,327,608],"class_list":["post-664","post","type-post","status-publish","format-standard","hentry","category-announcement","category-iphone","category-programming","category-security","tag-app-store","tag-apple","tag-itunes","tag-malware","tag-review-process"],"_links":{"self":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts\/664","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/comments?post=664"}],"version-history":[{"count":1,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts\/664\/revisions"}],"predecessor-version":[{"id":665,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts\/664\/revisions\/665"}],"wp:attachment":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/media?parent=664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/categories?post=664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/tags?post=664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}