No one really knows exactly how Apple makes sure the apps that wind up in its store are safe. All we know is that the App Store has a comparatively better track record than its Android counterpart. But nothing is ever totally safe. Researchers managed to sneak malware onto the App Store with ease by giving their app the power to transform.
The app, called Jekyll, was able to send e-mails and texts, steal information and device ID numbers, take photos, send tweets, and attack other apps. But its trick was that it couldn't do this right away. Instead, the malicious code was broken into innocent looking segments that would transform after download.
Long Lu, one of the researchers on the team, described it this way:
The app did a phone home when it was installed, asking for commands. This gave us the ability to generate new behaviour of the logic of that app which was nonexistent when it was installed.
After the team slipped Jekyll into the App Store, they downloaded it and ran the attacks on themselves before deleting it off the store before any innocents got hold of it. Through monitoring the app, they were able to tell that Apple only scanned it for mere seconds before approval, though who knows if a longer scan really would have helped.
The experiment happened all the way back in March, but the team only just spilled the beans about their results last Friday at a the Usenix conference in Washington, and since the incident, Apple has tweaked its app review process in ways that it's not keen on talking about. It just goes to show that you can never be too careful what you download; there are always going to be ways to sneak sketchy apps past the guards. [MIT Technology Review]