Over the weekend (18-19 August 2019), security researchers discovered that Apple has mistakenly unpatched a vulnerability, it had previously fixed in iOS 12.3. The vulnerability, dubbed Sock Puppet, was used as the base for a jailbreak for the latest version of iOS (version 12.4), made public by security researcher Pwn20wnd. It is the first time in years that a public jailbreak was made available for a fully updated version of the iPhone. The jailbreak – a method for removing the security restrictions imposed by Apple – leaves Apple customers vulnerable to malicious attacks, for instance through malware included in applications. A lesser-known fact is that jailbreaking can have severe consequences for app developers and publishers as it enables reverse engineers to illegitimately access the machine code of iOS apps.
As outlined in our recent post about 3 popular misconceptions regarding iOS application security, Apple encrypts the machine code of apps downloaded through the App Store. With this technique, Apple seeks to prevent anyone from illegitimately accessing and analyzing the machine code of iOS applications after download. The problem is that this security measure can easily be bypassed with a number of tools available for jailbroken devices. These tools enable reverse engineers to dump to the unencrypted machine code from memory and reconvert into the original (unprotected) app. Once they have managed to do this, they can search the application for vulnerabilities, extract sensitive information such as API keys from the code, repackage the application with malware – including malware that makes use of the discovered jailbreak, etc.
The recent publication of the jailbreak for iOS 12.4 shows once more that application publishers cannot blindly rely on the security of the OS and the measures taken by Apple, especially if they distribute applications that perform critical transactions or process sensitive information. Instead, they should adopt reliable mobile application protection software as part of their overall security strategy to safeguard the integrity of their applications and avoid abuse. The publication also shows that even the most recent versions of iOS cannot be considered secure. Apple itself has made the mistake of letting their security strategy depend on that assumption. The newly launched Apple Card service was only made available on iOS 12.4, arguably because it mostly takes some time before a new iOS version is compromised. Apple’s security strategy - and anyone else’s based on the same assumption - has been brutally overhauled this weekend by the publication of the jailbreak based on the Sock Puppet vulnerability.