[NewsPoster]

The security of Apple's App Store approval process has had its credibility challenged following revelations that it approved an app that was submitted by researchers with remotely assembled malware hidden in its code. According to Technology Review, the team from Georgia Tech monitored the app throughout the approval process and found that Apple only ran the app for a few seconds before approving it. This did give Apple the time to detect the malicious code which subsequently assembled into malware that could steal personal information, device IDs, photos as well as send texts and emails.

"The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed," said Long Lu, a member of the team at Georgia Tech, led by Tielei Wang. "The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen," Lu asserted.

In May this year one of our editors, Sanjiv Sathiah, reported discovering two fake apps that had slipped through Apple's app approval process. Apple removed the apps upon being notified of their existence. At the time, MacNN contacted Apple regarding the two fake apps and spoke to Apple spokesperson Jesse James. James was not prepared to comment on how the apps were able to slip through Apple's app approval process, but was only prepared to state that the "Apple App Store is the only curated app store in the world."

[msuper69]

I wonder if Apple will trigger the kill switch for this app.

[prl99]

Developers complain about how long it takes to get their apps approved. Now this process will take even longer to make sure apps like this "research" app doesn't get through. I can see Apple shutting down the approval process like they did the developer website to change the entire process. I hope this team contacted Apple before spreading it all over the web. Wait, why would they. If they did they wouldn't get the recognition they were looking for.

App reviews are held by regular people. And they don't have magic "code-monitoring" apps to watch if bad things happen (how do you define a "bad thing" anyway).

Sometimes some get through, but when discovered, they are pulled pretty quickly.

[azrich]

prl99- check out the linked article. It says there that the only devices the app was installed on were the researcher's own, where the malware worked as designed. The article also says they took it down before anyone else could get it. I don't think these are glory seekers so much, but that's just my take on it.

I'm glad these guys were the first to get one like this through vs some real bad coders. This shows the complexity of security in this day and age. It reminds me of messages encoded in JPG images being sent between spies.

[Marook]

Hmm, as far as I know, you are NOT allowed to fetch/build code not already in the App, so by doing this, they broke the developer agreement.. That's also why Java & Flash is not allowed!

Wonder how they did that..

[prl99]

azrich--it's called Steganography and I wonder if malware detection software actually checks for these types of things.

[YangZone]

Knock-knock...

[Sandman619]

The issue here is that Apple's iOS terms do not permit apps to download remote code. This is probably more of an honor system, since there probably isn't anyway to prevent this from happening, since it is controlled on the developer side. Apps designed this way would be hard to detect, since the developer would not execute such code until after the app is approved. Apple would probably need to conduct a post approval app review if they want to catch these apps

[broohaha22]

"This did give Apple the time to detect the malicious code which subsequently assembled into malware that could steal personal information, device IDs, photos as well as send texts and emails."

I think this should have said "This did NOT give Apple the time to detect the malicious code...."