Threat Category: Malicious or privacy-invasive application
Threat Description: Mobile apps may evade app vetting by downloading and executing malicious app code after installation. On Android, external code can be loaded using the OS-provided API. On iOS, the ability to modify app code is a consequence of the Objective C runtime environment that apps execute within, which permits method definitions to be modified at runtime. As the malicious code would not be present when the app was submitted for review, it may evade detection as a malicious application.
Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications 1
Jekyll on iOS: When Benign Apps Become Evil 2
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data about potential abuse of dynamic code execution associated with apps installed on COPE or BYOD devicesMobile Device User
Use Android Verify Apps feature to identify potentially harmful apps.
Consider the use of devices that support Android 10 or higher, in which applications cannot execute code within their own system binaries and libraries.
S. Poeplau et al., “Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications”, in Proceedings of the 2014 Network and Distributed System Security Symposium, 2014; http://www.internetsociety.org/doc/execute-analyzing-unsafe-and-malicious-dynamic-code-loading-android-applications [accessed 8/31/16] ↩
T. Wang et al., “Jekyll on iOS: When Benign Apps Become Evil”, in Proceedings of the 22nd USENIX Security Symposium, 2013; www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_wang_2.pdf [accessed 8/25/2016] ↩
J. Oberheide, Android Hax, presented at Summercon, 10 June 2010; https://jon.oberheide.org/files/summercon10-androidhax-jonoberheide.pdf [accessed 8/25/2016] ↩
J. Xie et al., “Hot or Not? The Benefits and Risks of iOS Remote Hot Patching”, blog, 27 Jan. 2016; https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html [accessed 8/31/16] ↩
M. Thompson, “Method Swizzling”, blog, 17 Feb. 2014; http://nshipster.com/method-swizzling/ [accessed 8/31/16] ↩