Chinese devs abuse free Apple app-testing certs to install pirated apps

Sideloading technique for testing iOS apps empowers malware on non-jailbroken devices

A Chinese iOS application recently found on Apple's official store contained hidden features that allow users to install pirated apps on non-jailbroken devices. Its creators took advantage of a relatively new feature that lets iOS developers obtain free code-signing certificates for limited app deployment and testing.

The number of malware programs for iOS has been very low until now primarily because of Apple's strict control of its ecosystem. Devices that have not been jailbroken -- having their security restrictions removed -- only allow apps obtained from the official App Store, after they've been reviewed and approved by Apple.

There is a separate method for enterprises to distribute in-house developed apps to iOS devices without publishing them on the app store, but it relies on special code- signing certificates obtained through the Apple Developer Enterprise Program.

Enterprise certificates have been used to install malware on non-jailbroken iOS devices in the past and it is one of the techniques used the newly found Chinese app, which is called ZergHelper or XY Helper. However, it's not the most interesting one.

According to researchers from security firm Palo Alto Networks, ZergHelper also abuses personal development certificates, a new type of code-signing certificate introduced by Apple with the release of Xcode 7.0 in September. Xcode is the main tool -- or integrated development environment (IDE) -- used to develop iOS and Mac OS X apps.

Starting with Xcode 7, developers can build apps, sign them and have them run on their own devices without publishing them in the app store. This makes it a lot easier to test apps without enrolling in Apple's Developer Program, which requires a $99 per year subscription.

To generate personal development certificates, app makers have to use Xcode with their phone connected to their computer. The exact process in which Xcode obtains the certificates from Apple is not publicly documented, but the ZergHelper creators seem to have figured it out.

"We think someone has reverse-engineered Xcode in detail to analyze this part of code so that they can implement exactly the same behaviors with Xcode -- in effect, successfully cheating Apple’s server," the Palo Alto Networks researchers said in a blog post.

Some people have expressed concerns after the feature was released last year that attackers might abuse it to create and distribute malware to non-jailbroken devices. ZergHelper is evidence that this is indeed possible, highlighting its potential for abuse "in a wide-ranging and automated way," the researchers said.

In fact, someone was recently selling code on a popular Chinese security forum that could automatically register Apple IDs and then generate personal development certificates for them. That post has since been deleted, the researchers said.

ZergHelper is also providing free Apple IDs to users and it's not clear where those IDs are coming from and whether the app steals them from other devices. The app was available in the official app store from the end of October until Saturday, when Apple removed it after being alerted by Palo Alto Networks.

The company's researchers found no explicitly malicious behavior in ZergHelper so far, its main goal being to act as an alternative app store that allows users to install cracked games and other pirated apps without jailbreaking their iOS devices.

Its creators appear to have tricked Apple's reviewers by using simple tricks. The app was submitted to the app store under the name "Happy Daily English" (in Chinese) and was presented as a helper app for learning English.

Once installed on a phone, the app behaved as advertised if the user's IP (Internet Protocol) address was from outside mainland China. However, if the address was from China, a different interface would appear that would guide users through installing a provisioning profile. This is similar to the process that a device goes through when it's enrolled into a mobile device management system.

Once done, users could install apps from the alternative app store. Some of them were signed with stolen enterprise certificates, but others were signed with the new personal development certificates that Xcode generates for free.

"We don’t know where the App Store reviewers are located," the Palo Alto Networks researchers said. "If they are not located in mainland China, this method could trick them into seeing a legitimate app. Even if they’re in China, the author could just shut down that webpage during the review period so that reviewer could not see the actual functionality through an analysis of its behavior."

The app also used another increasingly popular technique that allows developers to dynamically change their apps' code without submitting a new version to the official app store for review. This was done by integrating a framework called wax that bridges Lua scripting to native iOS Objective-C methods.

While ZergHelper is not malware per se, the techniques it uses could inspire future malicious attacks. Stolen enterprise certficates have been abused in the past, but ZergHelper takes it one step further by automatically generating free personal development certificates.

"This is of concern because the abuse of these certificates may be the first step toward future attacks," the Palo Alto Networks researchers said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?