TrollStore Implications and Mitigations For Your iOS Application

TrollStore is a new iOS tool which many malicious users have been awaiting for years. It enables users to install any app on their non-jailbroken device permanently. This might sound trivial, but due to Apple’s policies, on iOS, distributing modded apps is often more challenging than actually modding them. In this article we’ll cover what TrollStore is exactly and how it affects your app’s security.

TrollStore was released on September 3rd 2022 and affects all iOS versions between iOS 14.0 and iOS 15.4.1. It combines two recently discovered CVEs (CVE-2022-26766 and CVE-2021-30937) to gain root privileges and sign the application with arbitrary entitlements. Effectively, this means that an attacker can run the application with arbitrary permissions and properties.

Why is TrollStore a new threat?

Before TrollStore, users of modded application versions would typically jailbreak their devices or use one of a few other approaches to install repackaged applications. Those options each had considerable downsides as described in the appendix; therefore, jailbreaking was often the preferred approach. Because of this, a lot of applications have been using jailbreak detection not just to verify execution environment integrity but also to mitigate repackaging threats.

With TrollStore, the required effort for installing modded applications has been significantly reduced. TrollStore enables everyone to install modified applications without having to jailbreak their device! It also doesn’t suffer from the same ‘user experience’ issues as the techniques mentioned in the appendix.

For an application developer, this now means that jailbreak detection is no longer a valid stopgap to mitigate the majority of repackaging efforts. What's worse, with TrollStore, most of the common repackaging detection solutions won't detect an issue either. This is due to the CVE-2021-30937 vulnerability which enables an attacker to sign the app with an arbitrary TeamID and BundleID.

How can you mitigate the risk for your app?

TrollStore resigns the app with a completely new certificate and entitlements. Therefore, modern and robust repacking detection schemes now have to expand beyond some form of runtime TeamID and BundleID verification Tools like iXGuard achieve this goal by verifying additional indications of authorship in addition to detecting the actual modifications to application code and assets.

If possible within the context of your application, Apple’s App Attest Service can also verify your app’s integrity and mitigate TrollStore. Keep in mind, this approach also requires you to integrate components into your backend as this service relies on client - server communication.

As always, incorporating multiple layers of protection is key to effective mobile application security, thus applying both methods to your app would be our recommendation.

Conclusion

TrollStore and the accompanying CVEs should prompt developers to rethink their view of mobile app security. Especially when it comes to trusting existing system guarantees, such as the integrity of the TeamID and BundleID signature fields. TrollStore is a great example of how these assumptions may be broken at any time, leaving your apps vulnerable.

Therefore, developers should be sure to implement multi-layered and comprehensive protections and not rely solely on system ‘guarantees’ or public tricks on Github. Implementing such techniques and keeping them up-to-date on your own is complex and very time consuming.

Adopting a solution like iXGuard enables you to focus on making your application or game a great experience while allowing a proven partner to focus on protecting your revenue, brand and reputation.

Contact us to learn how iXGuard can help you protect your mobile apps from TrollStore.

Appendix - Common techniques for distribution of repackaged/modded iOS applications.

What are modded applications?

Modified applications are popular on both iOS and Android. They provide a means of distributing pirated paid apps or ‘tweaks’ (changes to an app’s behavior) for free apps. These are often undesirable changes for app developers; removal of ads, unlocking in-app purchases, unhiding beta features, bypassing use-case limitations,... They can also be really malicious in nature, e.g. injection of key loggers and other means of stealing data.

Distribution Of modified applications

So far, in a world without TrollStore, modders used to published their mods in three ways:

1. Upload a modified IPA file that a user can sideload to his non-jailbroken device with a free developer certificate. Users often use tools like AltStore and Sideloady to automate it.
2. Upload a modified IPA file that is signed with an enterprise certificate. Often a user can just install these IPA’s from a website, typically referred to as a ‘third party app store’.
3. Upload a ‘tweak’, which a user can install via a package manager such as Cydia, on a jailbroken device. Note that this approach isn’t really repackaging an application, the tweak applies a patch to the app at the runtime.

Each of these methods have their own drawbacks.

A sideloaded app signed with a free developer certificate (1) expires after 7 days, causing the app not to open anymore. So using this method, one has to ‘renew’ the modified applications every week.

The approach using an enterprise certificate (2) overcomes this expiry date limitation. These kinds of certificates however are relatively expensive, heavily controlled, and restricted by Apple. This kind of usage is also against Apple’s policies. Communities of modders often pool their money to get an enterprise certificate (or use illegal means); once live, Apple will commonly ban the certificate within a few weeks. Downsides of this approach are obvious; it’s not allowed by Apple, after a few weeks one often has to seek an alternative to get a modded app updated and, on top of that, the apps frequently contain additional advertisements to support this effort.

The third approach (3) is the most powerful but requires jailbreaking your phone. There’s a lot of online content explaining the risks for all parties involved, so we will not further expand on it here.

TrollStore, the fourth approach

For as long as iOS versions vulnerable to the relevant CVE’s are not outdated it seems that TrollStore provides a fourth approach, one which has very limited downsides.