Menu
Chinese devs abuse free Apple app-testing certs to install pirated apps

Chinese devs abuse free Apple app-testing certs to install pirated apps

Sideloading technique for testing iOS apps empowers malware on non-jailbroken devices

A Chinese iOS application recently found on Apple's official store contained hidden features that allow users to install pirated apps on non-jailbroken devices. Its creators took advantage of a relatively new feature that lets iOS developers obtain free code-signing certificates for limited app deployment and testing.

The number of malware programs for iOS has been very low until now primarily because of Apple's strict control of its ecosystem. Devices that have not been jailbroken -- having their security restrictions removed -- only allow apps obtained from the official App Store, after they've been reviewed and approved by Apple.

There is a separate method for enterprises to distribute in-house developed apps to iOS devices without publishing them on the app store, but it relies on special code- signing certificates obtained through the Apple Developer Enterprise Program.

Enterprise certificates have been used to install malware on non-jailbroken iOS devices in the past and it is one of the techniques used the newly found Chinese app, which is called ZergHelper or XY Helper. However, it's not the most interesting one.

According to researchers from security firm Palo Alto Networks, ZergHelper also abuses personal development certificates, a new type of code-signing certificate introduced by Apple with the release of Xcode 7.0 in September. Xcode is the main tool -- or integrated development environment (IDE) -- used to develop iOS and Mac OS X apps.

Starting with Xcode 7, developers can build apps, sign them and have them run on their own devices without publishing them in the app store. This makes it a lot easier to test apps without enrolling in Apple's Developer Program, which requires a $99 per year subscription.

To generate personal development certificates, app makers have to use Xcode with their phone connected to their computer. The exact process in which Xcode obtains the certificates from Apple is not publicly documented, but the ZergHelper creators seem to have figured it out.

"We think someone has reverse-engineered Xcode in detail to analyze this part of code so that they can implement exactly the same behaviors with Xcode -- in effect, successfully cheating Apple’s server," the Palo Alto Networks researchers said in a blog post.

Some people have expressed concerns after the feature was released last year that attackers might abuse it to create and distribute malware to non-jailbroken devices. ZergHelper is evidence that this is indeed possible, highlighting its potential for abuse "in a wide-ranging and automated way," the researchers said.

In fact, someone was recently selling code on a popular Chinese security forum that could automatically register Apple IDs and then generate personal development certificates for them. That post has since been deleted, the researchers said.

ZergHelper is also providing free Apple IDs to users and it's not clear where those IDs are coming from and whether the app steals them from other devices. The app was available in the official app store from the end of October until Saturday, when Apple removed it after being alerted by Palo Alto Networks.

The company's researchers found no explicitly malicious behavior in ZergHelper so far, its main goal being to act as an alternative app store that allows users to install cracked games and other pirated apps without jailbreaking their iOS devices.

Its creators appear to have tricked Apple's reviewers by using simple tricks. The app was submitted to the app store under the name "Happy Daily English" (in Chinese) and was presented as a helper app for learning English.

Once installed on a phone, the app behaved as advertised if the user's IP (Internet Protocol) address was from outside mainland China. However, if the address was from China, a different interface would appear that would guide users through installing a provisioning profile. This is similar to the process that a device goes through when it's enrolled into a mobile device management system.

Once done, users could install apps from the alternative app store. Some of them were signed with stolen enterprise certificates, but others were signed with the new personal development certificates that Xcode generates for free.

"We don’t know where the App Store reviewers are located," the Palo Alto Networks researchers said. "If they are not located in mainland China, this method could trick them into seeing a legitimate app. Even if they’re in China, the author could just shut down that webpage during the review period so that reviewer could not see the actual functionality through an analysis of its behavior."

The app also used another increasingly popular technique that allows developers to dynamically change their apps' code without submitting a new version to the official app store for review. This was done by integrating a framework called wax that bridges Lua scripting to native iOS Objective-C methods.

While ZergHelper is not malware per se, the techniques it uses could inspire future malicious attacks. Stolen enterprise certficates have been abused in the past, but ZergHelper takes it one step further by automatically generating free personal development certificates.

"This is of concern because the abuse of these certificates may be the first step toward future attacks," the Palo Alto Networks researchers said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments