Most iPhone users believe that apps can only be installed via the App Store, which is strictly monitored by Apple, meaning that their devices are safe from malicious apps. But is this actually the case?

At Certo, we’ve identified 5 methods that hackers are using right now to get around Apple’s app review process to install highly-intrusive spy apps that could monitor someone’s location, record phone calls and steal photos/videos.

Apple’s Stance

Apple are continuing their privacy campaign this year to re-assure their customers that “What happens on your iPhone, stays on your iPhone”.  As part of this campaign Apple have released a series of ads this week pledging their commitment to customer privacy.

The ad above declares that because of their strict app review process, malware cannot make it onto the App Store. While true, there are several other ways a malicious app could be installed on your iPhone, although Apple rarely mentions these publicly for obvious reasons.  We outline the 5 ways hackers are bypassing the App Store to infect devices below:

1 – Jailbroken Devices

Probably the most well-known way to install non-approved apps is by Jailbreaking an iPhone.  Jailbreaking is a process that removes restrictions on a device, allowing third-party apps to be installed, such as spyware. While Jailbreaking has become harder in recent years it’s still possible today, especially if your device is not kept up-to-date.

Examples of spyware that work on a Jailbroken device include FlexiSpy, mSpy and HelloSpy.  These spy apps allow a hacker to access the victim’s phone calls, location, messages and photos/videos.  Furthermore, because the device is Jailbroken, a spy app can be made completely invisible.

Scan Your iPhone

2 – Enterprise Certificate Abuse

Apple have an Enterprise Developer Program aimed towards their corporate clients who require bespoke apps for in-house use. It may not make sense for a company to have their in-house apps available publicly on the App Store. Therefore, Apple created the Enterprise Developer Program allowing companies to develop their own apps and distribute them internally.

However, it’s important to note that since these apps are never listed on the App Store, they do not need to pass Apple’s malware check.  Hackers saw an opportunity here to exploit this program in order to install malicious apps and spyware onto victim’s devices.

Hackers typically signup for the Enterprise Program under a false identity and then assign a trusted Apple-issued enterprise certificate to their malicious app before deploying it on a victims iPhone.   The victim’s phone is tricked into thinking it is part of the hacker’s fake organisation and allows the app to be installed.

One such example of Enterprise Certificate Abuse is Exodus, which was discovered earlier this year and is capable of silently accessing the victim’s contacts, photos, videos, GPS location data and can even be remotely triggered to listen in on people’s conversations.

You can read more about Enterprise Certificate Abuse here, with advice on how to check your device for unwanted Enterprise Apps.

3 – Exploiting Vulnerable Apps

A challenge commonly faced by hackers is how to install a malicious app on a victim’s device.  What if it was possible to comprise a legitimate app that people already have on their iPhones?

A few months ago, exactly this happened when WhatsApp admitted that attackers were able to exploit a vulnerability in their app that allowed surveillance software to be installed on an iPhone or Android device.  WhatsApp quickly fixed the vulnerability in an update, but with 1.5 billion users worldwide, many devices could have been affected before the vulnerability was brought to their attention.

This calls into question how many other apps could be exploited in a similar way, but the developers are as yet unaware?

4 – Developer Apps

Anyone can sign up for a Developer Account with Apple for just $99 per year.  This developer account gives someone access to the tools to create iOS apps and submit them to the App Store for approval. Developers like to test their apps on real devices before submitting to the App Store for review. To achieve this, Apple allows developers to digitally sign their apps and install them on an iPhone connected to a computer via USB.

This works well for prototyping an app before release, but hackers also saw this as a way to install malicious apps on a victim’s device and bypass the App Store’s strict review process.

Unlike with a Jailbroken device, it’s not possible for the hacker to hide a malicious Developer App. Instead, they normally bury the app within an infrequently accessed folder to avoid detection. For example, when was the last time you checked the apps in your “Utilities” folder?

If you are concerned that someone may have installed a malicious Developer App on your iPhone then the process to check for this is the same as malicious Enterprise Apps.

5 – Sideloading Apps

A relatively unknown method of installing non-approved apps to an iPhone is by Sideloading. This involves using a tool such as Cydia Impactor on a computer to send an IPA file (the app installation package) to an iPhone via USB.

Whilst there are several legitimate reasons for Sideloading an app, these apps do not need to pass Apple’s App Store review and can therefore contain potentially dangerous code.  We’ve seen several examples of Sideloaded apps being used in targeted attacks this year.

To run Sideloaded apps on an iPhone they need to be signed with a digital certificate. This is easy for a hacker to do as a digital certificate can be generated by simply providing any Apple ID, which allows a sideloaded app to function for 7 days.  Alternatively, if the app is signed with a Developer Apple ID then it will work for 1 year.

As with malicious developer apps, it’s not possible to completely hide these apps from a victim, but they are commonly hidden within infrequently accessed folders to avoid detection.

Summary

Apple are amongst the most secure devices in the world and their App Store review process helps to reduce the number of malicious apps that make it onto the iPhone. But clearly, Apple still has quite a bit of work to do to when it comes to fulfilling their privacy vision.

At Certo we specialize in iPhone spyware detection and are trusted by thousands of people to safeguard their devices.  Certo’s industry-leading spyware detection tool can check your device in a matter of minutes and will alert you if your device contains spyware, even if it’s completely hidden.

Scan Your iPhone