Jekyll on iOS: When benign apps become evil

Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, Wenke Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

80 Scopus citations


Apple adopts the mandatory app review and code signing mechanisms to ensure that only approved apps can run on iOS devices. In this paper, we present a novel attack method that fundamentally defeats both mechanisms. Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process. Once the app passes the review and is installed on an end user's device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple's approval. We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.

Original languageEnglish (US)
Title of host publicationProceedings of the 22nd USENIX Security Symposium
PublisherUSENIX Association
Number of pages14
ISBN (Electronic)9781931971034
StatePublished - 2013
Externally publishedYes
Event22nd USENIX Security Symposium - Washington, United States
Duration: Aug 14 2013Aug 16 2013

Publication series

NameProceedings of the 22nd USENIX Security Symposium


Conference22nd USENIX Security Symposium
Country/TerritoryUnited States

Bibliographical note

Funding Information:
We thank our shepherd Benjamin Livshits and the anonymous reviewers for their valuable comments. This material is based upon work supported in part by the National Science Foundation under grants no. CNS-1017265 and no. CNS-0831300, and the Office of Naval Research under grant no. N000140911042. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation or the Office of Naval Research.

Publisher Copyright:
copyright © 2013 USENIX Security Symposium.All right reserved.


Dive into the research topics of 'Jekyll<sup>∗</sup> on iOS: When benign apps become evil'. Together they form a unique fingerprint.

Cite this