JSPatch is a time bomb waiting to explode, warns FireEye.

its very surprise Apple unable to detect Any iOS app uploaded for Apple review to Apple’s official App Store has an ability to update itself from any 3rd-party server automatically without user knowledge.
Look for AppStore review guide.it says Apps that download code in any way or form will be rejected

Although Apple’s review process and standards for security and integrity are intended to protect iOS users, developers found the process time consuming and extremely frustrating while issuing a patch for a severe bug or security flaw impacting existing app users.

Apple is aware of this drawback, for this reason designed specific solutions to address the issue and make it easier for iOS app developers to release a hotfix patch without passing the strict controls implemented under the Apple’s review process.

The solution framework is JSPatch – a small JavaScript-to-ObjectiveC engine that developers can integrate in their iOS apps, allowing them to apply hotfixes on their iOS apps simply by adding a few lines of code to their apps.

JSPatch is an open source project – built on top of Apple’s JavaScriptCore framework – with the goal of providing an alternative to Apple’s arduous and unpredictable review process in situations where the timely delivery of hot fixes for severe bugs is vital

Unfortunately, this ‘alternative’ process expose Apple users to the risk of cyber attacks.

JSPatch Working Process:

Once the JSPatch engine loads inside an application, the developer can configure the app always to load a JavaScript file hosted on a remote server, which is controlled by the developer.

So, in need of security fixes or updates to their app, instead of going through Apple’s long-winded update routine, developers can just add some JavaScript code to the file hosted on their server in order to load the code in all the devices where the app is installed.

JSPatch originated from China. Since its release in 2015, it has garnered success within the Chinese region. According to JSPatch, many popular and high profile Chinese apps have adopted this technology. FireEye app scanning found a total 1,220 apps in the App Store that utilize JSPatch.

SECURITY IMPACT:

There are two ways to Exploit this framework:

• If developer has good intention loading via an unencrypted channel
• If the Developer is with malicious intention.

If developer has good intention loading via an unencrypted channel:
Fig: Threat model for JSPatch used by an app targeted by MITM

If an application developer uses JSPatch without any malicious intentions, even then the users security is at risk. The developers who load JSPatch via an unencrypted (HTTP) channel could leave communications between the client and the server unprotected allowing Man-in-the-Middle attacks..

If the Developer is with malicious intention

Fig: Threat model for JSPatch used by a malicious app developer

In both cases:

• MITM can exfiltrate app contents within the sandbox; MITM can perform actions through Private API by leveraging host app as a proxy.
• The app developer can utilize all the Private APIs provided by the loaded frameworks to perform actions that are not advertised to Apple or the users. Since the developer has control of the JavaScript code, the malicious behavior can be temporary, dynamic, stealthy, and evasive. Such an attack, when in place, will pose a big risk to all stakeholders involved.
• Access to sensitive information, such as media files and the pasteboard content

FUTURE ATTACKS:

Much of iOS’ native capability is dependent on C functions (for example, dlopen(), UIGetImageScreen()). Due to the fact that C functions cannot be reflectively invoked, JSPatch does not support direct Objective C to JavaScript mapping. In order to use C functions in JavaScript, an app must implement JSExtension, which packs the C function into corresponding interfaces that are further exported to JavaScript.

This dependency on additional Objective C code to expose C functions casts limitations on the ability of a malicious actor to perform operations such as taking stealth screenshots, sending and intercepting text messages without consent, stealing photos from the gallery, or stealthily recording audio. But these limitations can be easily lifted should an app developer choose to add a bit more Objective C code to wrap and expose these C functions. In fact, the JSPatch author could offer such support to app developers in the near future through more usable and convenient interfaces, granted there is enough demand. In this case, all of the above operations could become reality without Apple’s consent.

How to say no to this Attack:

• Download apps only from the App Store, by trusted company.
• Grant only required permissions to the App.