Hot patching allows developers to update their apps instantly without going through the standard procedure of app submission and vetting. Both Rollout.io and JSPatch are popular hot patching frameworks for iOS. Rollout.io is a secure and commercial framework. JSPatch is open-source and popular among Chinese app developers. Apps using these frameworks have been in the official Apple store for about two years, but in April 2017 Apple began banning them.
Appthority covered in a blog post on JSPatch that apps built using this type of “hot patch” framework expose an enterprise to significant risks, including but not limited to data leakage and privacy violation. In its letter to iOS app developers, Apple states, “Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.”
So, is it safe now?
Source: Appthority analyzed apps database
As shown in the chart above, the number of newly submitted iOS apps with these hot-patching frameworks dropped dramatically after Apple started banning them. Without these frameworks, it will be a little harder for attackers to hide their malicious behaviors with dynamic updates or launch serious man-in-the-middle attacks.
However, Appthority researchers believe that this type of risk remains a potential threat to enterprises. Here are two big reasons:
There is no easy way to avoid the risks these frameworks present but to minimize the risk of apps with these frameworks, users should make it a practice to only download apps from trusted app stores such as the Apple App or Google Play store. Additionally they are advised to read reviews to look for any indications that the app does not function in expected ways.
Appthority customers can have visibility into affected apps by configuring behaviors “Uses JSPatch For Hot Patching” as well as “Uses Rollout.io For Hot Patching” as part of an Appthority policy. Appthority customers can also leverage the underlying behavior, “Performs Dynamic Symbol Lookups”, to detect apps that can dynamically load code not related to the use of a specific framework or SDK.