Sandboxing is a fundamental tenant of secure operating systems, intended to insulate apps and their associated data from each other, and avoid the very attacks and activities that Jekyll was able to carry off. It's also explicitly used as a technique for detecting malware by running code in a protected space where it can be automatically analyzed for traits indicative of a malicious activity. The problem is that attackers are well aware of sandboxing and are working to exploit existing blind spots. [See "Malware-detecting 'sandboxing' technology no silver bullet"
"The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says," according to Talbot's account. "During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm."
"The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen," Lu says.
The results of the new attack, in a paper titles "Jekyll on iOS: when benign apps become evil," was scheduled to be presented in a talk last Friday at the 22nd Usenix Security Symposium, in Washington, D.C. The full paper is available online. In addition to Wang and Lu, the other co-authors are Kangjie Lu, Simon Chung, and Wenke Lee, all with Georgia Tech.
Apple spokesman Tom Neumayr said that Apple "some changes to its iOS mobile operating system in response to issues identified in the paper," according to Talbot. "Neumayr would not comment on the app-review process."
Oddly the same July 31 Georgia Tech press release that revealed Jekyll also revealed a second attack vector against iOS devices, via a custom built hardware device masquerading as a USB charger. Malware in the charger was injected into an iOS device. This exploit, presented at the recent Black Hat Conference, was widely covered (including by Network World's Layer8 blog) while Jekyll was largely overlooked.
Read more about anti-malware in Network World's Anti-malware section.