SandJacking Attack Can Replace iOS Apps with Malicious Versions

Written by

Apple has yet to fix a vulnerability which could allow attackers to replace regular apps with rogue versions without the user’s knowledge.

Chilik Tamir from security vendor Mi3 Security disclosed the bug at the Hack in the Box conference in Amsterdam last week and has been told by Cupertino that it is working on a patch, although so far none has been forthcoming, according to reports.

Tamir demoed a similar attack at Black Hat Asia at the end of March. Using a self-built tool dubbed ‘Su-A-Cyder’ he showed how an attacker could replace legitimate apps developed with Xcode7 – an iOS IDE. Anyone can apparently get an Xcode7 developer’s certificate as long as they can produce an email address and Apple ID.

If the malicious replacement app has the same bundle ID as the original it could be downloaded onto a victim’s device – allowing an attacker to carry out a potentially wide range of malicious activities without the user's knowledge

Apple’s iOS 8.3 release blocked this attack route by preventing any app upgrades if the files don’t match.

However, in Amsterdam last week, Tamir apparently showed a way to circumvent this mitigation with SandJacking – a new technique in which an attacker with access to a victim’s device initiates a back-up, then deletes the original app, before loading the malicious replacement and restoring the device from back-up.

The new malicious app will require manual approval by the user but this is likely to be given as it will look identical to the original.

Tamir told Threatpost that although the attack requires an attacker to have physical access to the iOS device, this could happen in a repair shop, for example.

Kevin Bocek, chief security strategist at Venafi, argued that the SandJacking attack highlights once again how powerful certificates have become as potential weapons.

The Xcode7 certificate, at the heart of this attack, was originally created by Apple to allow individual developers to build apps which they don’t want to put on the App Store – so they effectively bypass Apple’s strict app review process.

“Issuing free unvalidated Apple certificates is now a fast-track to enabling malware to installed,” argued Bocek.

“There are already well over 20 million malware samples authenticated by digital certificates. Bad guys know what powerful weapons digital certificates have become. It’s past due that we learn from our human immune system and apply that to the digital world to know which certificates should be trusted and who is friend or foe.”  

What’s hot on Infosecurity Magazine?