JSPatch is a time bomb waiting to explode, warns FireEye.
its very surprise Apple unable to detect Any iOS app uploaded for Apple review to Apple’s official App Store has an ability to update itself from any 3rd-party server automatically without user knowledge.
Look for AppStore review guide.it says Apps that download code in any way or form will be rejected
Although Apple’s review process and standards for security and integrity are intended to protect iOS users, developers found the process time consuming and extremely frustrating while issuing a patch for a severe bug or security flaw impacting existing app users.
Apple is aware of this drawback, for this reason designed specific solutions to address the issue and make it easier for iOS app developers to release a hotfix patch without passing the strict controls implemented under the Apple’s review process.
Unfortunately, this ‘alternative’ process expose Apple users to the risk of cyber attacks.
JSPatch Working Process:
JSPatch originated from China. Since its release in 2015, it has garnered success within the Chinese region. According to JSPatch, many popular and high profile Chinese apps have adopted this technology. FireEye app scanning found a total 1,220 apps in the App Store that utilize JSPatch.
There are two ways to Exploit this framework:
- If developer has good intention loading via an unencrypted channel
- If the Developer is with malicious intention.
If developer has good intention loading via an unencrypted channel:
Fig: Threat model for JSPatch used by an app targeted by MITM
If an application developer uses JSPatch without any malicious intentions, even then the users security is at risk. The developers who load JSPatch via an unencrypted (HTTP) channel could leave communications between the client and the server unprotected allowing Man-in-the-Middle attacks..
If the Developer is with malicious intention
Fig: Threat model for JSPatch used by a malicious app developer
In both cases:
- MITM can exfiltrate app contents within the sandbox; MITM can perform actions through Private API by leveraging host app as a proxy.
- Access to sensitive information, such as media files and the pasteboard content
This dependency on additional Objective C code to expose C functions casts limitations on the ability of a malicious actor to perform operations such as taking stealth screenshots, sending and intercepting text messages without consent, stealing photos from the gallery, or stealthily recording audio. But these limitations can be easily lifted should an app developer choose to add a bit more Objective C code to wrap and expose these C functions. In fact, the JSPatch author could offer such support to app developers in the near future through more usable and convenient interfaces, granted there is enough demand. In this case, all of the above operations could become reality without Apple’s consent.
How to say no to this Attack:
- Download apps only from the App Store, by trusted company.
- Grant only required permissions to the App.