JSPatch Vulnerability Digs Under Apple’s Garden Walls

One of the reasons iPhones are considered more secure is the thorough vetting each and every app on the Apple App Store. This inspection is supposed to ensure no malicious apps infiltrate the guarded platform from which almost all users download apps. Of course, there have been several cases in which malicious code managed to bypass Apple’s guards, but these were a mere few.

It’s not only the apps themselves that are scrutinized, even app updates are inspected, to ensure no malicious code is added to them. This creates a problem for app developers who want to patch flaws as fast as possible. Waiting for inspection can take up to a week, a critical amount of time in the developer world.

In order to resolve this problem, a workaround was created by developers. This workaround is called JSPatch (JavaScript Patch). JSPatch is an open source project, built on the JavaScript Core of Apple’s framework. It provides developers the ability to patch apps without going through Apple’s inspection process.

Although patching apps quickly to resolve security issues might sound like a good thing, it’s actually a double-edged sword. The downside of the JSPatch vulnerability is that it can enable malicious patching of apps without a protection mechanism. There are several ways in which this can happen:

  1. A developer can create a non-malicious app and, after Apple approves it, patch it adding malicious purposes including calling private-APIs.
  2. An ad SDK embedded in a legitimate app can push a patch to an app after Apple’s approval and hijack the app with malicious intentions without the developer’s notice.
  3. An app that does not properly protect the communication between a client and server can be abused by a Man in the Middle attack. The attacker could re-patch the app and add malicious components over-the-air without the developer’s knowledge.

How does Check Point’s Mobile Threat Prevention protect you?

Check Point has added new detection capabilities to our IOS engine to map applications using JSPatch. As this is not an attack, all new applications added to our system that includes the JSpatch code will receive an info summary that indicates the application might be utilizing a vulnerable code. Organizations can also blacklist malicious apps and prohibit them from being installed on mobile devices. Check Point Mobile Threat Prevention is rescanning its database and adding this detection information to already scanned apps.