Now, the report itself does also clearly say that, "The research was complied by looking for hacked version of the apps that were available from third-party sites outside of the App Store." But even still, the headline is pretty explosive. Let's dive in a bit and find what's relevant here to consumers and to developers.
From a consumer perspective, what we can take away from this message is that jailbreaking your iOS device and using third-party app sites is fraught with danger. You're removing pretty much all of the inherent security mechanisms that Apple designed into the iOS infrastructure when you jailbreak your device. Sure, there are plenty of jailbreaking tools, and the allure is certainly there -- many apps are available through these third-party sites that simply aren't available in Apple's App Store.
Nonetheless, and for the vast majority of consumers, it's best to avoid jailbreaking, at least from a security perspective.
But, how about iOS app developers? What do they need to know and do? For registered, licensed app developers who submit their apps through Apple's App Store, nothing has changed in that app ecosystem. It's still built around a massive digital signature hierarchy.
Here are a couple of key questions that we should be asking:
- Do we have to worry about people pirating our wares, adding malicious features to them, and releasing them through third-party underground app stores? Of course we do.
- Do we have to worry about our properly signed apps being run on jailbroken devices that are themselves affected by these other hacked apps? Of course we do.
With regard to 2. above, Apple used to provide an API for checking if the device your app is running on is jailbroken, but that API has been deprecated. Beyond that, Jonathan Zdziarski has some useful tips on detecting jailbroken devices in his book, "Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It".
Now, protecting our apps from being pirated, "enhanced", and placed on rogue app stores is a different beast entirely. That's a tough problem to solve. At some level, since the original app executable is completely in the hands of the end users on their iOS devices, it is unavoidable. At another level, we should consider our application architectures carefully -- for example, keep proprietary algorithms and such back on our server processing. And lastly, we can take steps to obfuscate our code (or portions of it). It's a tough problem to solve, and a discussion that we'll certainly go into during our upcoming Mobile App Sec Triathlon.