{"id":7708,"date":"2013-08-17T10:52:35","date_gmt":"2013-08-17T15:52:35","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=7708"},"modified":"2013-08-17T10:52:35","modified_gmt":"2013-08-17T15:52:35","slug":"jekyll-on-ios","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2013\/08\/17\/jekyll-on-ios\/","title":{"rendered":"Jekyll on iOS: When Benign Apps Become Evil"},"content":{"rendered":"<p><a href=\"http:\/\/www.informationweek.com\/mobility\/smart-phones\/apple-ios-security-defeated-by-sneaky-ap\/240160105?printer_friendly=this-page\">Thomas Claburn<\/a>:<\/p>\n<blockquote cite=\"http:\/\/www.informationweek.com\/mobility\/smart-phones\/apple-ios-security-defeated-by-sneaky-ap\/240160105?printer_friendly=this-page\"><p>&ldquo;Jekyll apps do not hinge on speci&#64257;c implementation &#64258;aws in iOS,&rdquo; the paper explains. &ldquo;They present an incomplete view of their logic (i.e., control &#64258;ows) to app reviewers, and obtain the signatures on the code gadgets that remote attackers can freely assemble at runtime by exploiting the planted vulnerabilities to carry out new (malicious) logic.&rdquo;<\/p><p>Assembling malicious logic at runtime avoids detection by reviewers and by automated methods of static analysis, a way to analyze program code without actually executing the instructions.<\/p><\/blockquote>\n<p>The full Usenix paper is available <a href=\"https:\/\/www.usenix.org\/system\/files\/conference\/usenixsecurity13\/sec13-paper_wang_2.pdf\">here<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Thomas Claburn: &ldquo;Jekyll apps do not hinge on speci&#64257;c implementation &#64258;aws in iOS,&rdquo; the paper explains. &ldquo;They present an incomplete view of their logic (i.e., control &#64258;ows) to app reviewers, and obtain the signatures on the code gadgets that remote attackers can freely assemble at runtime by exploiting the planted vulnerabilities to carry out new [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[91,31,26,48],"class_list":["post-7708","post","type-post","status-publish","format-standard","hentry","category-technology","tag-appstore","tag-ios","tag-iosapp","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/7708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=7708"}],"version-history":[{"count":0,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/7708\/revisions"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=7708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=7708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=7708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}