New iOS warning issued to all iPhone users

Apple’s iOS operating system has always been considered more secure than rival Google Android. Apple owns the hardware, software and platform in a closed ecosystem with much less fragmentation than its competition.

However, in iOS 17.4 this will transform for EU users, as Apple will initiate seismic changes to its app store and ecosystem to enable sideloading under the new Digital Markets Act regulation.

The change, which is set to go live next week, is part of a new warning issued by security researchers following a report looking into the security of iOS apps.

Promon’s report, The State of iOS App Security, specifically investigated whether iOS apps can defend against repackaging attacks. They see that the adversary obtains a copy of the application, modifies and maliciously repackages it to successfully run on the device.

Repacking is “one of the most critical risks to address” when platforms allow sideloading, the Promon researchers said.

iOS report findings

To conduct its research, Promon tested the world’s 100 most downloaded iOS apps, according to SensorTower. Combined, these apps were downloaded more than 4.7 billion times last year, according to SensorTower.

Out of 100 applications, 93 (93%) were repackaged. Of the seven (7%) that failed to launch, two apps crashed for reasons other than detecting that the app had been repackaged. The other five apps crash for unspecified reasons, which could include having detected repackaging, Promon said.

“Given the results of the 100 most actively downloaded apps in the world, it seems safe to conclude that many iOS apps themselves have minimal protection against repackaging,” the Promon report said.

“The introduction of sideloading on iOS, along with the risks associated with third-party app stores, is akin to rolling out the red carpet for a new wave of malware, Trojans and rogue apps,” said Benjamin Adolphi, head of security research at Promotion.

“As we prepare for this new era of increased risk, it is imperative that Apple implement far greater repackaging prevention strategies to mitigate the spread of rogue apps before they wreak havoc on unsuspecting users.”

What is Apple doing to protect iOS apps?

All iOS apps are encrypted when distributed through the App Store. However, Promon’s report found that iOS app encryption is “pretty trivial to bypass.”

An attacker trying to repackage the application needs to be unencrypted in order to modify it and distribute it further. “There are different solutions, but the easiest is to install and run an encrypted app on an iOS device,” Promon said. When iOS launches an app, it is decrypted into memory, and an attacker can dump the unencrypted memory and patch it back into the original app. “This results in a completely unencrypted application that can then be modified,” added Promon.

This should not be possible on a normal iOS device: the user or any app running on the iOS system should not be able to access the memory of an arbitrary app installed from the App Store. Therefore, it is necessary to compromise the device “to some degree” in order to obtain this capability, Promon said.

However, accessing an app’s memory to modify it doesn’t require a full jailbreak, Promon said. In many cases, the company says, a single security vulnerability is enough to allow you to read an application’s memory.

“These bugs allow applications to be signed by arbitrary authorities. This can be used to bypass the iOS sandbox to the extent that arbitrary app memory can be accessed. Compared to a full jailbreak, this is much easier because you only need to know one vulnerability and exploit it compared to the full chain that a modern jailbreak requires.”

Based on this, Promon says that app decryption on modern versions of iOS is “still very possible,” and “developers should not rely on App Store DRM as the primary way to protect their app.”

What to do

It’s an interesting report, and Apple app security breaches aren’t unheard of — a fake version of the LastPass password manager recently hit the App Store.

But it is important to note that certain conditions must be met in order for applications to be decrypted and repackaged. The problem is actually that Apple opening up iOS to sideloading will increase the risk of these attacks.

“While this is only one attack vector, it highlights the immediate need for heightened security vigilance, even if the underlying platform has safeguards in place,” Promon said.

As the Promon researchers point out, Apple is introducing safeguards—the iPhone maker will continue to notarize iOS apps when iOS 17.4 changes go into effect, “which should help alleviate some of the issues.”

As of iOS 17.4, Apple fans in the EU will have to be careful, but there’s no need to panic. Like Android users, you need to be careful about the apps you download and be sure to delete the ones you don’t use. At the same time, make sure you apply the latest iOS updates as soon as they are released to patch any security flaws that might offer entry.

We’ve reached out to Apple for comment, and I’ll update this article if the iPhone maker responds.