Apple has gone to great lengths to ensure that users of its mobile operating system feel safe when they use their devices for everyday activities from browsing the Web to updating their banking accounts. The scientists at Georgia Tech managed to get a specially crafted app that could perform all sorts of malicious activities and is aptly named Jekyll, onto the App Store. It bypasses every single security measure put in place by Apple to protect its users.
By enforcing a stringent set of rules that determine which software can and cannot run on its devices, the company has, for the most part, managed to keep its customers safe from malicious software.
App Review
During review each app is manually tested to ensure that it doesn’t crash in any obvious way and that it conforms to all the appropriate App Store rules. Before landing on the Apple store each app is manually reviewed by Apple for flaws and malware. Despite having been largely successful at keeping malware out of the App Store, the review process has its limits.
And this is where iOS’s software-based defenses kick in. Each app that runs on an iPhone or iPad is allowed to read and write files only inside a virtual “sandbox” that the operating system creates for it. Any attempt to access data outside of the sandbox is rejected outright, thus effectively allowing apps to communicate with each other only through approved channels that Apple has put in place the sandbox prevent. To make a hacker’s life even harder, iOS clearly separates areas of memory that are dedicated to code from those that are supposed to contain only data a malicious app that has managed to slip through the review process from siphoning data that belongs to another app without the user’s knowledge.
The real genius of this approach is that it improves security without limiting what apps can do or placing any additional burden on end users. The responsibility will be entirely on developers, who will be forced to explicitly request entitlements for the resources they need to access, and on Apple’s reviewers, who will need to approve or reject those requests. As far as the customers are concerned, the apps they use every day will continue to ask whether they can access your contacts, location data, or photo albums, just like before. Behind the scenes, however, a whole new layer of security will help prevent hackers’ attacks on your personal information.
