Stefan Esser is well known in the Apple iOS jailbreaking and security research community.
Four years ago, at the CanSecWest conference, he presented a paper entitled iOS 5 – An Exploitation Nightmare?
Our own Chester Wisniewski attended that talk, which recounted the nature of the arms race between jailbreakers and Apple.
Esser admitted, back in 2012, that jailbreaking was getting harder, and the timing of jailbreaks more critical, as Apple crammed anti-jailbreak code into every new release of the operating system.
Jailbreakers aim to remove Apple’s artificial restrictions on what their iPhones can do, not only for the freedom to run a wider collection of apps, but also to install security patches and controls that Apple hasn’t got around to yet.
Apple, on the other hand, wants an iOS ecosystem that is contained inside its own “walled garden,” not only to give it a better chance of keeping crooks and rogue software out, but also for reasons of commercial control.
Once you have bought an iPhone, you can only shop at the company store.
Two years ago, Esser showed his curiously humorous side when he gave the name Baby Panda (no, we never found out why) to data-stealing iOS malware that was also known as Unflod, apparently due to the malware developer mis-spelling the word “Unfold”.
Unflod Baby Panda had a bunch of nasty hidden tricks, including tapping into the TLS/SSL code inside the operating system so that the malware could secretly take a look at any encrypted data you were about to send, just before it was encrypted.
Fortunately, the malware was easy to avoid because it only worked on jailbroken devices, which did no harm to Apple’s strict “no jailbreaking” stance.
Success in the App Store
Fast forward to last week, and Esser was flying high in the App Store with a new app called System and Security Info.
According to 9to5Mac, Esser’s app even reached the top of the paid apps chart in the USA.
At €0.99 a time, you’d have to imagine that SektionEins, Esser’s company, was making a tidy income out of a utility that was popular because lots of users found it handy.
That sounds like a win-win-win scenario, with a positive outcome for SektionEins, Apple and their mutual customers.
As well as tracking the CPU and memory usage of other apps, the program would look out for potential security problems caused by the misbehaviour of other apps:
The key features of this app are the ability to show the list of running processes in iOS 9 and a jailbreak and security anomaly detection that can help security concerned users to check for potential privacy issues and security threats.
Apple famously doesn’t allow proper anti-virus software in the App Store, a restriction that applies to OS X as well as to iOS software.
The limitations imposed on submissions pretty much make third-party threat prevention software, such as a real-time anti-virus, a technical impossibility in the App Store.
Fortunately, on OS X, you can install software from outside the App Store – by default from trusted developers, and, by changing a system setting, from anyone you like.
On iOS, where it’s the App Store or nothing, you’re out of luck.
If you’ve ever wondered why you get Sophos Home for OS X from Sophos and not from the App Store, now you know. To get Sophos Anti-Virus into the App Store, we’d have to emasculate it by removing features such as on-access protection, also known as real-time scanning. But those are the most useful parts, because they prevent rather than merely detect malware.
Nevertheless, Esser’s program, despite its real-time security anomaly detection, had Apple’s blessing…
…until the start of this week.
Ironically, a bug reported as a side-effect of 9to5Mac’s positive review of the software may have led to Esser’s downfall.
Esser tweeted late last week that:
Current bug fix review takes already multiple times as long as previous bug fix reviews. Are they Looking for a technicality to kill the app?
In the end, that’s what happened.
According to The Register, Apple’s reason for chucking the app out of the App Store was that:
Currently, there is no publicly available infrastructure to support iOS diagnostic analysis. Therefore your app may report inaccurate information which could mislead or confuse your users.
Translated into plain English, Apple means that Esser was using undocumented features in iOS that he’d figured out himself.
Programmers usually try to avoid doing that sort of thing in security software, not least because undocumented features are subject to change without warning.
But in the absence of documentation, “figuring it out for yourself” is sometimes the only way forward.
Esser has hit back at Apple on Twitter, pointing out that:
iOS 9.3.2 was just released – our app still works.
In other words, Esser is suggesting Apple knew, or could have verified, that the app would still work after the next update, which plays down the risks that the app might “mislead or confuse […] users” due to upcoming changes in the undocumented parts of iOS.
Have your say
Where do you stand on this?
Is Apple’s self-contained vision for the App Store the best way forward?
Or is it time for Apple to become more open about security research into iOS, and to let third-party security developers show some threat prevention innovation in the App Store, perhaps under stricter conditions than regular apps, and after a more detailed verification process?
Opening up the low-level parts of Windows to independent software vendors worked out well for Microsoft in the early 2000s…why not for Apple, 15 years later?