Do you know?… Any iOS app downloaded from_ Apple’s official App Store_ has an ability to update itself from any 3rd-party server automatically without your knowledge.
Yes, it is possible, and you could end up downloading malware on your iPhone or iPad.
Unlike Google, Apple has made remarkable efforts to create and maintain a healthy and clean ecosystem of its official App Store.
Although Apple's review process and standards for security and integrity are intended to protect iOS users, developers found the process time consuming and extremely frustrating while issuing a patch for a severe bug or security flaw impacting existing app users.
To overcome this problem, Apple designed a set of solutions to make it easier for iOS app developers to push straightway out hotfixes and updates to app users without going through Apple's review process.
Sounds great, but here's the Kick:
Malicious app developers can abuse These solutions, potentially allowing them to circumvent effectively the protection given by the official App Store review process and perform arbitrary actions on the compromised device, FireEye has warned.
Developed by a Chinese developer, JSPatch is utilised in as many as 1,220 iOS apps in the App Store, according to researchers. Although they failed to name the apps, the researchers claim that they have already notified the app providers.
There are two ways to abuse this framework:
What if the app developer has bad intention?
A malicious developer can first submit a harmless JSPatch integrated application to the Apple App Store.
> "JSPatch is a boon to iOS developers," _FireEye researchers said in a blog post. "In the right hands, it can be used to quickly and effectively deploy patches and code updates. However, in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes."_
What if the app's developer loads JSPatch via an unencrypted channel?
If an application developer uses JSPatch without any malicious intentions, even then the users security is at risk. The developers who load JSPatch via an unencrypted (HTTP) channel could leave communications between the client and the server unprotected.
This isn't the very first-time iOS users are facing such problems. Last October, hundreds of iOS apps in the App Store were found collecting user's private data while violating security and privacy guidelines of Apple.
The discovery came just a month after the XcodeGhost malware was distributed through legitimate iOS Apps via counterfeit versions of Apple's app developer toolkit called Xcode. Here's how to protect yourself against XCodeGhost like iOS flaws.
The recommendations to protect yourself against this flaw are standard:
Download apps only from the official App Store, that you need, that you know, and that you trust.
Beware of applications that ask for an extensive amount of permissions and only grant the apps permissions that are necessary.
Manually review "everything" to discover anything malicious in your devices. Rest is up to the company if it wants to improve its application update process to make it speedier, or to allow potential attack vectors that could affect most of its apps and their users.