Flaws found in Apple's iOS can let malware slip through

U.S. researchers say they've found security weaknesses in Apple's iOS operating system that could let hackers compromise an iPhone through apps or peripherals. "Apple utilizes a mandatory app review process to ensure that only approved apps can run on iOS devices, which allows users to feel safe when using any iOS app," Paul Royal, director of the Georgia Tech Information Security Center, said in a Georgia Tech release Wednesday. "However, we have discovered two weaknesses that allow circumvention of Apple's security measures." Researchers at the center determined malware can be installed onto iOS devices via Trojan Horse-style applications and peripherals such as chargers. The technique, developed as part of a proof-of-concept attack dubbed Jekyll, hides malicious code that would otherwise get rejected during the Apple review process, they said. "We were able to successfully publish a malicious app and use it to remotely launch attacks on a controlled group of devices," research scientist Tielei Wang said. "Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps -- all without the user's knowledge." Researcher Billy Lau created a proof-of-concept malicious charger using a small, inexpensive single-board computer made to resemble a normal iPhone or iPad charger that, once plugged into an iOS device, stealthily installs a malicious app. Both Wang and Lau notified Apple upon the discovery of these security weaknesses, Georgia Tech said. Apple has implemented a feature in its upcoming iOS 7 that notifies users when they plug their mobile device into any peripheral that attempts to establish a data connection, and is working on ways to address the weaknesses revealed through Jekyll, the school said. "These results are concerning and challenge previous assumptions of iOS device security," Royal said.