Investigating iOS security vulnerabilities

Originally posted to Licelus blog

iOS is renowned for its robustness and its rigorous security measures. It's a closed ecosystem, with Apple strictly controlling both hardware and software. The upshot of this is a unique and comprehensive approach to security. And it means that iOS has traditionally provided a safer environment than other platforms due to its strict review process for apps and limitations on customizations.

But security isn't a state. It's a process. And there are no platforms - iOS included - that are invincible to sophisticated threats. There are iOS security vulnerabilities that need to be investigated.

This is a particularly pertinent point when viewed in the context of how quickly the threat landscape changes in the tech world. Take the recent news surrounding Apple’s potential introduction of sideloading - the ability to download and install applications outside of the App Store. This has also sparked a debate about the future sturdiness of iOS’ security.

Sideloading aside, insecure networks, OS vulnerabilities, reverse engineering, supply chain attacks, jailbreaks, and social engineering all have the potential to threaten the security of iOS apps.

There’s a tendency, though, for mobile app developers to spend less time and effort thinking about security for iOS apps than they do for Android equivalents. If anything, iOS’ reputation for security in recent years has caused some complacency.

The good news is that understanding these risks and applying best practices for mitigation can go a long way in safeguarding your applications and your data. After all, it's not just about having a secure platform. It’s also about how you, as developer or user, navigate within that platform.

In this article we’ll explore the major risks facing iOS apps and we’ll offer some practical strategies for how to keep them secure (and how to maintain the safety of your end users). So, whether you're a seasoned developer or an iOS user, read on.


Exploring some iOS security vulnerabilities

Insecure networks

Even the most secure devices can be exposed to risks when connected to insecure networks.

Public Wi-Fi networks, for example, are breeding grounds for malicious activities. Cyber attackers often exploit these networks to intercept data transmission, gain unauthorized access to devices, or spread malware. The obvious risk here is the exposure of sensitive personal and business information.

Mitigation strategies for network communications interception include using VPNs to encrypt data transmission, and avoiding public Wi-Fi for sensitive operations and transactions. It’s also a good idea to leverage SSL Pinning and to regularly update iOS software to benefit from the latest security patches and updates from Apple.

OS vulnerabilities

No operating system, iOS included, is devoid of vulnerabilities. And weak spots in the software can be exploited by attackers to gain unauthorized access, disrupt operations, or even steal sensitive data.

For instance, in 2020, a vulnerability dubbed "MailDemon" was discovered in the default Mail app of iPhones that could allow remote code execution (RCE) upon the opening of malicious emails. Another vulnerability in the iOS platform allowed RCE in IOSurfaceAccelerator and WebKit and was exploited before Apple could release a patch for it.

OS vulnerabilities also do a good job of stripping iOS devices of the restrictions Apple imposes on them. Jailbreaking software intended to allow application side loading and unlocking other functionalities can only work via vulnerabilities discovered in the iOS. We’ll touch on jailbreaking a bit more later in this article.

If you’re an iOS app developer, you can minimize the impact of vulnerabilities like these from being exploited by embracing zero-trust strategies for information security.


Diving deeper into specific threats

Reverse engineering

Reverse engineering involves deconstructing a software program to understand its architecture, functionality, and potential vulnerabilities. When applied to iOS apps, this process can reveal proprietary algorithms, hidden features, and even potential weaknesses that can be exploited.

The traditional view is that iOS apps are much harder to reverse engineer than Android apps due to the usage of machine code instead of JVM bytecode - as well as other protection practices.

Let’s investigate this.

When a developer writes an iOS app, they write it in a high-level language like Swift or Objective-C. This code is then compiled into machine code that the device's processor can understand and is stored in the application binary. The binary itself is then encrypted using a symmetric encryption algorithm (AES) - a process that happens when the app is submitted to the App Store. This encrypted application binary is then hosted on Apple's App Store, and when a user downloads the app they download this encrypted version. The user installs and opens the app on their iOS device, and the system's kernel decrypts the application binary in memory. This decryption process uses a unique key that is generated and managed by the device's Secure Enclave - a hardware-based key manager which is isolated from the main processor to provide an extra layer of security. The decrypted code is stored in the device's memory, but it isn’t accessible for other processes or apps due to iOS' memory protection mechanisms. Each app runs in its own isolated space (known as a sandbox) and doesn't have access to other apps' data or code.

This fairly robust system helps to explain why iOS apps are seen as being more difficult to reverse engineer than their Android counterparts. But it isn’t enough to put off a skilled attacker.

With an understanding of the protection measures in place, a bad actor will look to employ counter strategies. The first step in cracking the code encryption of an iOS app often involves an attempt to jailbreak the device. Jailbreaking removes the security restrictions imposed by iOS, allowing the attacker to gain full control over the device's file system and execute any code that they like. Once the device is jailbroken, attackers can use various dynamic binary instrumentation tools to dump or extract the decrypted binary code of the app. This is possible because, as we touched on earlier, the application binary gets decrypted in the memory when the app is running. Tools like "frida-ios-dump" or "Clutch" can be used to dump the decrypted binary from memory. With the decrypted binary code in their hands, attackers can then proceed to reverse engineer the code. Tools like Hopper or IDA Pro can disassemble or decompile the binary into a human-readable form. And once the code is disassembled, attackers can analyze it to understand its operation, identify vulnerabilities, extract sensitive information (such as keys or passwords), or modify the code to alter the app's behavior.

If you’re a developer, you can safeguard your iOS apps from reverse engineering in a number of ways. Integrating code obfuscation techniques is a good starting point as it makes your code harder to understand and harder to reverse-engineer. And application shielding mechanisms can protect your app from tampering, cloning, and similar threats. You can find out more about the steps you can take to block these types of attacks with our mobile app protection checklist.

Supply chain attacks

Supply chain attacks happen when an attacker infiltrates your system via a third-party partner or provider who has access to your systems and data. The notorious SolarWinds attack in 2020 is a prime example of how damaging these attacks can be. While this type of attack isn’t as common for apps in the Apple ecosystem as it is for Android apps, that isn’t to say that supply chain attacks are impossible with iOS.

Let’s look at an example. Bad actors exploited the 'Run Script' feature in Apple's Xcode Integrated Development Environment (IDE). This clever manipulation targeted Apple Developers by sharing Xcode Projects. The malicious Xcode project, known as XcodeSpy, works by subtly installing a custom variant of the EggShell backdoor on the developers' macOS computer, which is then entrenched through a persistence mechanism.

This backdoor isn't simply a passive observer. It actively records input from the victim's microphone, camera, and keyboard. And it has the capability to upload and download files. The unsettling truth is that the infection vector XcodeSpy uses could potentially be adopted by other malicious actors. As such, we strongly recommend that iOS developers who frequently use Xcode remain vigilant when using shared Xcode projects.

In an ideal world, you’d want to apply robust security measures across your software supply chain. This includes thoroughly vetting third-party vendors, regularly reviewing and updating security protocols, and employing a robust system for managing and securing access controls. If you’re interested in learning more about this topic, we considered the security guidelines for various mobile technologies, including iOS native development, in an earlier article. It also covers supply chain threats and mitigation measures.

Jailbreaking

As we’ve said, jailbreaking an iOS device means freeing it from the restrictions imposed by Apple. Jailbreaking enables users to install applications, extensions, and themes that aren't available through the official App Store. The process takes advantage of certain iOS security vulnerabilities - be that software or hardware.

A popular example of a modern jailbreak framework is "unc0ver." This semi-untethered jailbreak tool uses a variety of exploits in iOS to gain elevated privileges, and it supports a wide range of iPhone models and iOS versions.

From an end user's perspective, jailbreaking can appear attractive because it provides them with more freedom and customizability. Jailbreaking tools like unc0ver are designed to be user-friendly, often requiring little more than the tap of a button to perform the jailbreak.

But jailbreaking an iOS device can carry significant risks. As we mentioned earlier in this piece, iOS employs a security feature known as "sandboxing" by default. This isolates apps from each other and from the system itself. So, even if an app is compromised, the damage it can do is limited to that app alone. Jailbreaking removes this sandboxing, leaving the system vulnerable to malicious apps that can access data from other apps or even from the system.

Jailbreaking can’t work without using known iOS security vulnerabilities. When you jailbreak your device, you intentionally leave these vulnerabilities unpatched which could then be exploited by bad actors to install harmful software.

While the creators of jailbreaking tools generally aim to provide a safe and secure environment for their users, there's no guarantee that all jailbreaking software is benign. Some tools might come with hidden malicious payloads such as spyware or ransomware that could compromise your data or your device.

There are even examples of software that pretends to be a jailbreak tool but instead exploits the user. One of those is called CheckRain: a website claiming to be a jailbreak tool but instead providing a malicious provisioning profile to perform click-fraud.

Jailbreaking is strongly discouraged by Apple. It voids the device's warranty and you lose access to Apple's support channels. Also, Apple's updates to its iOS can often render jailbroken devices inoperable, forcing users to choose between updating their software and maintaining their jailbreak.

As we’ve said many times before on this website and will continue to say, there’s often a conflict in the tech world between convenience and security. As a user, jailbreaking can bring you more freedom to use your device exactly as you’d like to. But at what cost?

Social engineering

Social engineering involves tricking users into divulging sensitive information or performing actions that compromise security. It's less about technological vulnerabilities and more about exploiting human psychology.

Protecting against social engineering attacks is a job for all of us. Developers can educate end users about threats within the app and via other trusted communication channels. And users can help stop social engineering from succeeding by being naturally suspicious. That means taking a moment to question unsolicited communications, and only sharing sensitive information when absolutely necessary and through trusted channels.

The security journey

Keep in mind that while this overview of iOS security vulnerabilities and protection strategies is comprehensive, it's by no means exhaustive. The cybersecurity landscape is evolving at a rapid pace, so staying informed is the key to staying secure.

There's no room for complacency. Even for a robust and closed ecosystem like iOS, vulnerabilities exist and risks abound. But with the right understanding and vigilance, these can be effectively mitigated.

Remember, the role developers can play in maintaining application security cannot be overstated. As a developer, your commitment to best practices and ongoing education is the first and most important line of defense. But security is not a one-man job, as we know. It's a collective responsibility that involves users, developers, and the platform provider.

We're in this together, navigating a constantly evolving cybersecurity landscape. The risks will continue to change, and new threats will emerge. But with clarity, transparency, and a little bit of positivity, we can continue to foster a safer and more secure digital environment.