Apple's App Store is considered an iron vault when it comes to the security and safety of the nearly 1 million apps found there, but researchers at Georgia Tech said they were able to sneak malware into apps in the store, malware which could then be downloaded onto iPhones and iPads.
Their report, "Jekyll on iOS: When Benign Apps Become Evil," was presented at the USENIX Security Symposium in Washington, D.C., last week. Researchers from the School of Computer Science, College of Computing at Georgia Institute of Technology created a proof-of-concept "Jekyll" app and "successfully published it in the App Store."
Using the app, "we remotely launched the attacks on a controlled group of devices that installed the app," they wrote in their paper. "The result shows that, despite running inside the iOS sandbox, (the) Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps and even exploiting kernel vulnerabilities."
Apple spokesman Tom Neumayr told NBC News Monday the company takes "security very seriously," and was well aware of Georgia Tech's findings. The researchers "informed us of their projects earlier this year," he said. "We would like to thank the researchers for their valuable input."
Three security issues have been "addressed in iOS 6," the current mobile operating system, he said. "Additional issues from the Jekyll paper have been addressed in the latest beta (test version) of iOS 7 [due for public release this fall] and as always, we'll continue to provide security updates in upcoming releases."
But what has been patched is not totally clear yet. "Apple has indicated that it is continuing to work on ways to address the weaknesses revealed through Jekyll and, as of yet, has not publicly released a solution," said a Georgia Tech press release.
Georgia Tech research scientist Tielei Wang told NBC News that the team "made a full disclosure of our attack scheme to Apple in March 2013 and have since been in correspondence with Apple." However, Wang said, it's up to users to pay close attention to the kinds of apps they download from the App Store.
"Since Apple doesn't open too many interfaces for third-party security apps, the end users don't have too many options to protect themselves," Wang said in an emailed statement. "The only suggestion is that they should be very cautious when download and use any third-party apps."
The researchers noted in their paper that in the "history of iOS, only a handful of malicious apps have been discovered. This is mainly attributed to the advanced security architecture of iOS and the strict regulations of the App Store."
Georgia Tech researchers also looked at iOS security issues "when performing everyday activities such as charging a device," the school said. Researcher Billy Lau and his team created a "proof-of-concept malicious charger using a small, inexpensive single-board computer" called "Mactans."
It "can easily be constructed to resemble a normal iPhone or iPad charger. However, once plugged into an iOS device, Mactans stealthily installs a malicious app."
Apple, the university said, has put software in iOS 7 that "notifies users when they plug their mobile device into any peripheral that attempts to establish a data connection," the university said.
Android, Google's mobile operating system, is better known for having security holes, in part because of the openness of the operating system and because less stringent approvals are required by Google for apps to make it into its Google Play store. The company, however, is working to change that, by cleaning out the bad apples, so to speak.
Check out Technology and TODAY Tech on Facebook, and on Twitter, follow Suzanne Choney.
First published August 19 2013, 1:53 PM