Network security vendor Palo Alto Networks is warning about a new form of iOS malware it has dubbed Keyraider, which has already claimed 225,000 victims. Although a quarter of a million Apple accounts have potentially been compromised, most Apple users are not at risk and likely never will be.
Keyraider only works against Jailbroken iOS devices in which the user has intentionally manipulated the software on their devices so that it is not be restricted to the Apple App Store. More specifically, Keyraider (to date) has only been found to be coming from the Weiphone Cydia repositories in China. Cydia is a popular third-party app repository for jailbroken iOS devices. Although China is the source of Keyraider, Palo Alto reports that the malware has affected users in 18 countries.
The way the Keyraider malware works is it hooks into the SSLRead and SSLWrite functions in the itunesstored process in iOS. Secure Sockets Layer (SSL) provides encryption for data in transport, while the itunesstored process is an iTunes protocol for iOS devices to communicate with the Apple App Store. By hooking into the itunesstored process, Keyraider is able to steal a user’s Apple ID and then potentially steal user information.
While Keyraider is a problem for the quarter million people who may be affected, all those users chose to jailbreak their devices. There is no specific vulnerability here in iOS itself that Apple must fix immediately as some form of zero-day exploit patch. This is not the 2014 iCloud celebrity hack either where Apple needed to update some of its own back-end security processes to protect users.
That said, perhaps Apple could have stricter controls in iOS for the itunesstored process function that first checks to see if the device has been jailbroken. In my view, that one somewhat obvious step could limit some of the potential risk of Keyraider, even on jailbroken devices. A common feature on many enterprise-class mobile-device management (MDM) systems is to first check to see if a device is jailbroken. So why couldn’t Apple implement the same feature for iTunes/Apple ID access?
The simple truth is that running a jailbroken iOS device represents many more risks than just Keyraider. Without the benefit of Apple’s secured update process for apps, there is no assurance that any user of a jailbroken Cydia repository gets the actual application that they expect. Any app could be intercepted and manipulated, even if there isn’t anything wrong with the actual app as it resides in a Cydia repository. Going a step further, though, unlike Apple, which scans the App Store when apps are submitted and updated by developers, Cydia repositories don’t benefit from security scanning. That means there is very little to protect a user from a malicious app in a Cydia repository, even if the application isn’t manipulated by some form of attacker interception.
In the Android world, Google has taken a bit of a broader view of jailbroken app security. While Google also does not recommend that users download apps from non-Google Play repositories, it does have non-Google Play app security in place. Google has a technology known as Verify Apps that will scan a user’s Android device for security threats, even if the apps were downloaded from somewhere other than Google Play.
Apple makes a non-trivial amount of its revenue from its App Store, and it doesn’t seem likely that it will ever endorse, directly or indirectly, the use of third-party app stores like Cydia. This latest attack against jailbroken iOS devices with Keyraider is yet another promotional message for Apple to keep its users locked into the Apple App Store for their own safety.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.