Threat Research

Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching

Previously On iOS Remote Hot Patching

Apple’s detailed app review process has resulted in greater security for iOS apps made available through the App Store. However, this review process can be lengthy, which negatively impacts developers who need to quickly patch a buggy or insecure app. As a result, we have seen the development of various third-party solutions that allow developers to remotely hot patch an iOS app on a non-jailbroken device without going through Apple’s review process. While iOS remote hot patching is a very recent concept and is still in its inception, we have seen fierce demand and an emerging market for such products. However, they are not without their own security risks.

In our January blog, we discussed JSPatch, an open source hot patching solution. While JSPatch allows developers to provide better support to users by quickly fixing problematic apps, it potentially allows malicious actors to engage in attacks that evade current iOS security controls.

In this episode, we take you on a tour of Rollout.io, a commercial (though currently with limited free access) solution that attempts to address the remote patching problem with an eye towards security.

Episode 2: Rollout.io

According to their website, Rollout is an Israel-based, venture capital-backed technology startup founded in 2014. The core product is a commercialized solution to the iOS patching problem that essentially allows developers to update their app’s behavior, following an app’s initial approval and release, without going through Apple’s App Store review process.

Co-founder Erez Rusovsky stated that Rollout “created an SDK that allows you to remotely hot-patch native production applications”.  Rollout’s mission statement further states that:

Rollout.io’s mission is to bridge the gap between developers and their live apps. When a live app needs updating, app developers usually wait days and even weeks to get the new version out to their users. Rollout solves this problem by giving developers code-level access to their live apps.

Rollout is aware of the concerns within the community that patching apps outside of the App Store could be a violation of Apple’s review guidelines and practices. Rollout notes both on their FAQ site and in a longer blog post that their process is in compliance.

Technical Wonderland

JSPatch, which we discussed in our previous blog, provides a relatively simple patching framework consisting of three Objective-C files to be imported to an iOS app to activate the remote hot patching capability. As a commercial offering, Rollout offers a software development kit (SDK) and infrastructure that supports patching for scale and efficiency. Rollout provides a simple overview of their process, but also gives us an insider look into the tech stack and the “under the hood” mechanics of their Rollout SDK through their technical blogs. For our analysis, we focus only on the dissection of the Rollout SDK.

In a nutshell, Rollout SDK is built on the following three technologies:

●    dSYM file
●    Method Swizzling
●    JavaScriptCore framework

iOS Debug Symbol File

According to Rollout, the following steps are taken for an app to hook up with Rollout:
The developer chooses to use Rollout SDK and imports the SDK into their app.
The Rollout SDK parses the app code and generates the dSYM file (debug symbol file), which is uploaded to Rollout’s back end.
The dSYM file is rendered in the developer portal and available to the app developer for use in reviewing and patching an app.

The end result is rendered by Rollout’s developer portal and presented to the developers, allowing them to select and patch a function. Through the Rollout portal, the developer has easy access to all the defined classes (e.g. ViewController) and selectors (e.g., imagePickerController:didFinishPickingMediaWithInfo:) of the analyzed app, as shown in Figure 1.


 
Figure 1: Rollout developer portal allowing the developer easy access to all defined classes and methods in the app

The most common way to patch a bug in an existing function is to replace the faulty implementation of the function with a new, fixed one. But there are situations where a fix is needed in multiple places across the application. In this case, the best practice is to create a new function that encapsulates the shared routine. In Rollout, one can easily achieve this through the interface shown in Figure 2.



Figure 2: Rollout developer portal allowing the developer to add a new method into a class

Rollout also allows developers to resolve problematic situations such as when a method was renamed but still called from some code in the UI, which requires the developer to link the disconnect by a new wrapper method. In this case, selecting a function to be fixed (such as [ViewController imagePickerController:didFinishPickingMediaWithInfo:] shown in Figure 2) will display the JavaScript patch editing interface shown in Figure 3.

 
Figure 3: Rollout develop portal providing a JavaScript editing interface for patch development

Method Swizzling

Method swizzling is known to iOS developers as “black magic.” In short, method swizzling is an Objective-C runtime technique that allows one implementation of a method to replace an existing implementation of another method (of a class or instance) at runtime.

The term “implementation” refers to the actual function pointer to the code (implementation) of the method. The Objective-C runtime maintains a struct called "objc_method" for each method of a class. This struct has the method name, the argument, the return types of the method, and the "implementation" of the method, which is represented by a pointer IMP pointing to a C function. Therefore, swizzling basically involves exchanging the value of the "implementation" field between the objc_method data of two different methods. Figure 4 and Figure 5 depict a visualization of the process:
 
Figure 4: The original selector and its implementation mapping in class FortitudeViewController before swizzling
   
Figure 5: The selector and implementation mapping in class FortitudeViewController after method swizzling

In Figure 4, which shows the state before swizzling, each selector in Class FortitudeViewController contains a corresponding pointer IMP that points to its real implementation, which is a C function behind the scene. For instance, selector1 is an objc_method struct that contains pointer IMP1.

The “magic” lies in the availability of three essential C functions in the Objective-C runtime:

●    method_exchangeImplementations
●    class_replaceMethod
●    method_setImplementation

The most common and intuitive way to perform a method swizzling is similar to what is shown in Figure 6.
 

Figure 6: Example code showing method swizzling

This code will turn the internal runtime relation of the relevant methods into the conceptual structure shown in Figure 5. This effectively allows one to replace an existing implementation of a function with a new one, thus leading to a new and uncharted behavior of an app at runtime.

There have been many discussions about the pitfalls and dangers of utilizing this “black magic.” A primary focus is to avoid the unintended side effects of using the C function method_exchangeImplementations (shown above) by instead using class_replaceMethod and method_setImplementation. Further details are beyond the scope of this blog post.

Apple does not seem to have provided any official documentation for the concept of method swizzling, despite documenting the associated runtime APIs. However, it is a general consensus within the developer community that method swizzling is permitted. It should be noted that to date, Apple does not appear to have rejected an app during its review process due to the use of method swizzling.

JavaScriptCore.framework

The JavaScriptCore framework was introduced into iOS at version 7. It allows one to evaluate JavaScript programs from within a C-based program. It also lets users insert custom objects to the JavaScript environment. On iOS, it is similar to an Objective-C wrapper of WebKit’s JavaScript engine, thus extending the capability and power of scripting beyond a web client to the whole app.

The following four classes form the cornerstone of the framework:  

●    JSVirtualMachine represents the virtual JavaScript runtime environment that allows JavaScript to run and to be executed. To initiate a virtual machine instance in Objective-C, one does the following:
JSVirtualMachine *vm = [[JSVirtualMachine alloc] init];

●    JSContext talks to the above runtime, provides access to global objects that reside in the context, and performs the execution of JavaScript code. For example, in Objective-C, one can initiate a JSContext instance and declare a variable in the manner shown here:
JSContext *context = [[JSContext alloc] initWithVirtualMachine:vm];
context[@”name”] = @”Jean-Luc”;
context[@”organization”] = @”Enterprise”;

●    JSValue is the class that represents arbitrary data in JavaScript. For instance, we have:
JSValue *name = context[@”name”];
JSValue *organization = context[@“organization”];
NSLog(@”Captain Name: %@ \nOrganization: %@”, name, organization);

●    JSExport is a protocol that allows one to expose parts of Objective-C classes and methods to JavaScript. The wrapper created through this protocol functions as a passthrough between the Objective-C runtime and the JavaScript runtime. This one object thus facilitates the sharing between the two execution contexts allowing code in one environment to change the states of the other.

Rollout Patch Capability

Rollout exposes to developers only a limited set of JavaScript APIs that can be permitted in the Objective-C runtime environment. Its API documentation shows the following essentials:

●    R: the Rollout namespace object that allows integration with the Rollout SDK, the containing function, and the application’s runtime. Within which, it offers the functionality of the Foundation C function NSClassFromString, as shown in Figure 7.

Figure 7: Portion of Rollout 'R' namespace


●    ObjcBox: encapsulates Objective-C NSObject instances. It allows a transformation from an Objective-C instance to a JavaScript value. There are two important functions, as shown in Figure 8:
 
Figure 8: Portion of Rollout ObjcBox namespace

The APIs provided by Rollout and the legitimate use cases they describe for their hot patching infrastructure are simple, limited, and benign. However, as with many well-intentioned solutions, the possibilities of misuse or abuse remain when malicious individuals think outside the box.

The Usual Suspects

In our blog on JSPatch, we outlined several attack capabilities that could be carried out against that technology, such as loading arbitrary public or private frameworks into an app. The types of capabilities we described for JSPatch also work against Rollout, though we do not provide specific examples here. Instead, we highlight a few additional scenarios specific to Rollout to avoid duplication.

Example 1: Load arbitrary private frameworks and utilize unauthorized private APIs

●    Targeted private framework: /System/Library/PrivateFrameworks/CoreRecents.framework
●    Targeted private API: [[CRRecentContactLibrary defaultInstance] maxDateEventsPerRecentContact]

Figure 9 and Figure 10 show sample exploitation code and the associated console output loading the private framework CoreRecents.framework.
 
Figure 9: Sample exploitation code for loading a private framework

Console Output:


Figure 10: Sample console output showing successful load of the framework

Both this example and the following ones make use of Apple iOS private APIs. The pros and cons of the use of these private APIs by third party apps has been at the center of much debate. In general, common sense suggests that the use of Apple’s private APIs by third party apps is risky due to security risks as well as stability concerns (for example, unexpected behavior if Apple changes the internals of the private APIs). Despite Apple’s efforts to prohibit the practice of utilizing non-public APIs, it has proven difficult to identify their use when developers use obfuscation and other even more clever and sophisticated maneuvers.

That said, when an app developer with malicious intent makes use of these private APIs, the use of the APIs will leave traces within the app code itself. This means the malicious code within the app is subject to potential discovery by Apple or a third party. However, with Rollout’s dynamic hot patching process, the intent – that is, the malicious code – can be separated from the app binary itself in the form of a hot patch. Rollout, as a remote hot patching solution, is not the only means one can resort to separating private API calls from the app binary, but it lowers the bar for malware developers to achieve so.

Example 2: Load arbitrary public frameworks and utilize unauthorized private APIs

●    Targeted public framework: /System/Library/Frameworks/AVFoundation.framework
●    Targeted private API: [AVCaptureDevice devices]

Figure 11 and Figure 12 show sample code used to successfully access the iPhone’s cameras and microphone.    

Figure 11: Example exploit code loading public framework to access the private AVCaptureDevice API

Console outputs three devices: Back Camera; Front Camera; iPhone Microphone.


Figure 12: Console output showing access to the iPhone cameras and microphone

Example 3: Test device for the presence of a targeted app

The ability for one app to check for the presence of another app raises both privacy and security concerns (for example, checking for the presence of an app in order to exploit it). The primary method for obtaining a list of installed apps is through the private API [LSApplicationWorkspace allInstalledApplications]. As we have seen, use of these private APIs is prohibited by Apple’s Developer Program License Agreement.

Some app developers have sought other means to determine installed apps without using Apple’s private APIs. For example, iHasApp used the public API [UIApplication canOpenURL:] to identify installed apps based on their supported URL schemes. Unfortunately, the extensive usage of the API and associated detection method in a large volume of apps resulted in iHasApp and its derived framework being shut down by Apple, and the API being flagged during the app store vetting process.

However, Rollout eliminates this constraint because the API can be called via a hot patch outside of the app itself.

Figure 13 and Figure 14 show sample code using canOpenURL: to detect installed apps.
Figure 13: Sample exploit code calling canOpenUrl
 
Figure 14: Console output showing app detection

Example 4: Make phone calls to premium numbers without consent

By utilizing the public API [UIApplication openURL:], one can launch the native mobile phone app and make a phone call to an arbitrary premium number. This activity would be immediately visible to the user when the phone app interface was unexpectedly displayed. However, use of the exploit could be fine-tuned by applying environmental checks (for example, only initiate calls when the user is asleep) and maintaining a status of long running background process through background modes.  

Figure 15 and Figure 16 show sample code for dialing a premium number and the successful connection.    

Figure 15: Sample exploit code used to dial a premium phone number

 
Figure 16: Console output showing successful call

Example 5: Take screenshot without informing the user

Figure 17, Figure 18, and Figure 19 show that through the patch, one can take screenshots of the current foreground screen by utilizing non-public API [UIImage createSnapshotWithRect:] without the user’s knowledge. The screenshots are saved in the sandbox of the application, which can be further exflitrated outside of the device.


Figure 17: Sample exploit code showing the use of private API [UIImage createSnapshotWithRect:] to capture the screen



 
Figure 18: Console output showing that the captured screenshot has been saved to the sandbox
 
Figure 19: App sandbox content showing the captured images

All of the above tests were performed on a device that runs iOS 8.4. Apple has released a number of iOS versions through the years to fix and close security holes reported by both industry practitioners and academic researchers. Most of the private or public APIs that could have been abused are protected through various access controls  (e.g., entitlements to the Address Book) in newer versions of iOS. However, the reality is that there are a significant number of users who are not keeping their devices’ OS version up-to-date. The ramifications are that “old” attacks through private APIs, which are ineffective against iOS 8.4 or iOS 9, would still be effective against some devices.

Threat Scenario

In our earlier blog on JSPatch, we highlighted three general attack scenarios using an iOS remote hot-patching vector. Of these, two are still present on Rollout in a similar fashion:

1.    Precondition: 1) Embedded 3rd party ad SDK is malicious.
a.    Consequences: ad SDK has the right to write to the database, which allows it to change the behavior of the app.
2.    Precondition: 1) App developer is malicious.
a.    Consequences: app developers can perform stealthy persistent but temporary actions against the user including by utilizing Private APIs.

It has been pointed out that an app developer with malicious intent will strive to find a way to distribute their malicious app regardless of the particular framework used. That is, no existing distribution method can fully guard against malicious intent. While we agree with this statement, we also believe it is important to understand how different distribution methods may help or hinder a malicious developer in deploying their malicious code. A developer wishing to distribute a malicious app through the App Store would need to slip the malicious code past the review process. The third-party hot patching frameworks developed to date do not include any review process, so it helps to understand how malicious patches could be distributed and where (or whether) they could be detected.

A risk of hot patching frameworks is that because patches can be deployed ‘on the fly’, a developer could distribute a legitimate app, temporarily deploy a patch to carry out specific malicious activity, and then deploy another patch to revert the app back to its normal, non-malicious behavior. Because this activity can occur automatically in the background, users are highly unlikely to notice the change, and replacement of the malicious patch with a “clean” one could leave little evidence that anything suspicious had occurred.

To put the threat scenario in perspective, we provide a visualization of such an attack to reinforce the concept and facilitate understanding.  

Fictional Malicious Plotting

Synopsis
Our fictional app FortitudeSeries was a new release of an iOS app that allows one to add filters to selected photos from the device photo gallery and save the edited photos back to the gallery. In order to offer the user a better experience with quality performance and stable software, we decided to use the Rollout.io service to maintain the ability to remotely hot-patch bugs and security issues should they be discovered in the future.

After testing several patches, we identified several actions we could take outside of what the app was originally designed for. We first tried saving an original copy of all the filtered photos in the sandbox, and it was a quick success. We then became curious about the photos the user does not select for filtering, so we issued a new patch to capture a screenshot of the user’s photo gallery. This too was simple to achieve.


Production
Our fictional attack is demonstrated through three stages to show the following scenarios:

●    Stage 1: Rollout patching is disabled in the backend. FortitudeSeries only exhibits its legitimate behavior. A user selects a photo from the photo gallery by pressing the button “Select A Photo”. Once the photo is selected, the console outputs “Filtering the selected image” and the photo gallery view is dismissed. The app’s Documents directory does not hold any data, therefore, it remains empty. Figure 20 shows the source code of the main view controller of FortitudeSeries.
 

Figure 20: Objective-C code for the core implementation of fictional app FortitudeSeries

●    Stage 2: Rollout patch is enabled with the code shown in Figure 21. The user restarts the app and performs the same sequence of actions. The app’s Documents directory keeps a record of the selected photos and labels them with the timestamp of the photo that was selected.
  

Figure 21: Rollout patch code for saving a copy of the user selected photo in the sandbox

●    Stage 3: Rollout patch is enabled with different code, as shown in Figure 22. The user restarts the app and performs the same sequence of actions described above. The app takes a screenshot of the photo gallery and saves a copy to the sandbox Documents directory using the same naming scheme presented above.
 

Figure 22: Rollout patch code for capturing a screenshot of the photo gallery in stealth

Once the data is in the sandbox of the app, the app may deal with it however it wants. A conceivable approach is to exfiltrate it to a developer-controlled server. It should not be surprising that this can be done via a Rollout patch script that executes at runtime without Apple’s knowledge.  

The operation of the demo is therefore done in the following three stages:

●    Stage 1: Develop FortitudeSeries in Objective C and Rollout; deploy it to a user device to allow the user filter selected photos; check the Rollout patch; perform the expected actions on the installed app; check the console log; check the sandbox Documents directory;
●    Stage 2: Enable Rollout patch with script for scenario I; restart the app; perform the expected actions on the installed app; check the console log; check the sandbox Documents directory;
●    Stage 3: Comment out the patch script for scenario I and enable script for scenario II; restart the app; perform the expected actions on the installed app; check the console log; check the sandbox Documents directory.

Primed with the above depiction, it should be easy to understand the recorded demo below even without a narrative.

Rollout Security Defense

The chances of a successful man-in-the-middle (MITM) attack through the use of poor encryption (or no encryption) of the patch script content can be reduced significantly through secure implementation of the app and any supporting hot patching framework.

To prevent patches from being tampered with, Rollout invested in the following security measures:

●    The app retrieves the patch data from Rollout.io server through HTTPS. This significantly lowers the chances of being a target of MITM attacks.
●    The patch data is signed by a Rollout.io private key and therefore can only be decrypted by a key that’s known to the iOS app.

Security Weakness

The above protection ensures that data is secure in transmission. However, once the patch data lands on the device, it is decrypted accordingly and stored in the sandbox in plaintext. Figure 23 shows the directory #APP_SANDBOX/Library/Caches/#APP_ID containing a specific database Cache.db that contains data resulting from the hot patch network communications.
 

Figure 23: File structure view of the directory encompasses the database of patch data

All patches that have been pushed to production and received by the client app are stored as a record in the table cfurl_cach_receiver_data as shown in Figure 24.
 

Figure 24: DB table cfurl_cach_receiver_data containing all records of production patches

Each patch is stored in the receiver_data column in JSON format. The JavaScript code is mapped to the key “configuration” in based64 format. For example, the highlighted data blob in Figure 24 contains the based64 encoded content shown in Table 1:


Table 1: base64 content from patch database

Its corresponding ASCII format is the data is shown in Figure 25.

Figure 25: Decoded base64 content

Given Rollout’s existing security measures such as HTTPS and asymmetric encryption, as well as iOS’s sandbox, this weakness is a minor issue. Since there are other attack vectors that can be more easily exploited (for example those described in our threat scenario I and II), a third party library may be less motivated to tamper the patch to their advantage. Should circumstances change and one chooses to do, this weakness is really to be leveraged.

Field Survey

Rollout’s web site states that its product is “trusted by thousands of mobile app developers”. As Rollout provides a solution for a problem that is unique to iOS developers, we can speculate that all its customers are iOS app developers at this point. Though a few have been highlighted on their main page, the exact number of App Store-approved apps that use Rollout SDK is unknown. We performed a scan using FireEye’s infrastructure in late 2015 and found 130 apps that have been or still are in the App Store using Rollout as a remote hot patching solution. This number has since grown to 245 as of Jan. 19, 2016.  

As opposed to apps that adopted JSPatch as the remote hot patching solution, which are predominantly Chinese apps for Chinese speaking users, apps that use Rollout are mostly marketed towards English speaking users. Many offer localization for a variety of languages. There are no distinct features among these apps; they span a variety of categories including education, social networking, magazines and newspapers, lifestyle, photo and video, games and more. Most of the apps have very low user adoption in the App Store at this point. The most popular app seems to have accumulated a download record of 62,869 times, while the vast majority have no popularity rating on file.  

At the time of this writing, we have not confirmed any malicious activity related to any app that uses the Rollout SDK. We are simply reporting on potential vulnerabilities and avenues for misconduct that could potentially be exploited when using this tool. 

Epilogue

Conclusions

iOS remote hot-patching through a non-Objective-C language to effectively evade the Apple review process – a process that has so far largely led to a safe and clean app ecosystem – is now a reality. Our analysis has placed JSPatch and Rollout under the spotlight as examples of two hot patching frameworks with very different characteristics:

  • JSPatch is developed by a Chinese developer; Rollout.io is provided by an Israel-based company.
  • JSPatch is open sourced; Rollout.io is a commercial product.
  • JSPatch is adopted mostly by Chinese app developers; Rollout.io is marketed to English speaking or international developers.
  • JSPatch and Rollout.io offer different syntax and capabilities for JavaScript code.
  • The infrastructures are far from the same.

Despite differences in their implementation, both are similar in that they potentially allow a developer to turn an innocuous looking app into something malicious – all while circumventing Apple’s App Store vetting process. What’s more, the underlying “biology” is the same for the two solutions: the combination of JavaScriptCore framework and method swizzling.

When conducting our research, we contacted Rollout regarding the issues described in this post. We gratefully acknowledge Rollout’s responsiveness and assistance in addressing them. As a result, Rollout has indicated that they will prevent developers from accessing iOS private APIs and private frameworks in their future releases of the product so that all patch code is subject to the same types of checks as those in the Apple review process. With Rollout’s upcoming release, the attack examples shown here would be thwarted.

Additional Food for Thought

The current limitations of the App Store review process and the desire from developers for a faster solution means that hot patching, as a process, is unlikely to go away any time soon. We hope that by describing these underlying risks, patch framework developers will institute additional security controls to ensure that they are providing developers with convenience and productivity in iOS app development all while maintaining a clean and safe ecosystem.

In this ecosystem, iOS users are the least able to protect themselves and, consequently, the most vulnerable. When it comes to user security, it is difficult to decide which single stakeholder should assume the responsibility of maintaining and sustaining a safe and clean iOS mobile environment. While Apple has come a long way in keeping its mobile users safe from malware, the task has become increasingly difficult. It is not outrageous to expect third party library or framework providers to offer extra security to ensure their services are not being abused.

While we do not have a definite solution for this complicated issue, we believe a system that functions as follows could potentially increase iOS user security: 1) App developers providing to Apple a list of the third party libraries and frameworks that they use, 2) The underlying technologies of third party libraries and frameworks being provided to Apple, and 3) Third party library or framework providers improving security to ensure their services are used as intended.