Chinese Software Lets iPhones, iPads Install Pirated Apps
CREDIT: Image composite by SecurityNewsDaily
Just before the New Year, two new pieces of software appeared that made it possible to install pirated and unauthorized apps on iPhones and other Apple iOS devices without jailbreaking the devices.
The two services, Zeusmos and Kuaiyong, are no longer available from their official websites, but installers for the services can quickly be found online.
But how dangerous is either to use? Expert opinion seems to be divided.
"Today's iOS protip is: * do * not * run * kuaiyong * or * anything * like * it *," tweeted security researcher Melissa Elliott on Jan. 2.
Yesterday (Jan. 28), Trend Micro Product Manager Warren Tsai opined that using either Kauiyong or Zeusmos wouldn’t be such a big deal.
"Because the iOS sandbox has not been compromised, what each app can and can’t do is rather limited," wrote Tsai. "For now, it’s not likely to be much of a security threat."
Welcome to the wonderful world of Android
Despite the sandbox restriction, which prevents one app from interfering with another, Tsai concedes it might be pretty easy for a malicious app to steal personal information from the user, or as he puts it, create a "privacy data leakage problem."
Another problem is that services like Zeusmos and Kuaiyong bring a bit of Android's security chaos to the orderly iOS universe.
Android has a problem with malicious apps posing as free versions of popular paid ones. Dozens have popped up in the official Google Play store, which is meant to screen out such malware. "Off-road" markets are rife with them.
Tsai notes that the new services could also be an "interesting avenue" for attacks on specific companies or organizations.
Both Kauiyong and Zeusmos take advantage of Apple's Developer Enterprise program, which lets companies create "in-house" apps for distribution to employees' iOS devices.
Savvy hackers could create a fake in-house app purporting to come from a major defense contractor, and then send employees an email instructing them to install it from their laptops or desktops.
The app could then spy on those employees, tracking their whereabouts with location services and possibly even reading their emails, texts and Web-browsing histories.
We're all developers here
Licenses for both Apple's Developer and Developer Enterprise programs allow "ad hoc distribution," or installations of apps from outside the App Store for testing purposes on up to 100 iOS devices.
"In-house distribution," available only to businesses licensed in the Developer Enterprise program, permits unlimited installations of non-App Store apps.
Authorization for "in-house" apps is built in, but an iOS device can install apps from only one Developer Enterprise licensee at a time.
Subscriptions to Developer and Developer Enterprise licenses have to be renewed every year, at a cost of $100 and $300 respectively. If not, the apps stop working.
Apple's done a remarkable job of keeping the iOS environment, now more than 5 years old, malware free.
But services like Zeusmos and Kuaiyong remind us that iOS isn't impregnable. Now may be the time for iOS users to learn how to protect themselves on a platform that has maintained a fairly sterile environment up until now.
Despite the new threat, criminals and hackers have to work hard to get iPhone users to install bad apps on their phone.
Because of that challenge, the bulk of mobile-device attacks will be focused on the Android platform for quite some time.