Another iOS vulnerability? Is JSPatch a serious security risk?

Another iOS vulnerability? Is JSPatch a serious security risk?

Apple does a pretty good job keeping the iOS ecosystem locked, but that does not mean it’s completely safe from vulnerabilities. Cyber security firm Fireeye  posted on its blog some information related to a new possible threat for iOS. Developers for this platform searched for way to push patches to users faster and not wait for Apple’s approval each time. These practices do not meet the security standards that Apple enforces. By using open source solution JSPatch, developers could allow malicious apps be installed right from the Apple App Store.


How does JSPatch work?

JSPatch is a JavaScriptCore framework and according to its creator :

“JSPatch bridges Objective-C and JavaScript using the Objective-C runtime. You can call any Objective-C class and method in JavaScript by just including a small engine. That makes the APP obtaining the power of script language: add modules or replacing Objective-C code to fix bugs dynamically.”

This framework can be used to deploy patches and code updates. So far it’s fine as long as the developer has good intentions. In the wrong hands an attacker can modify a JavaScript file to be loaded by an app using JSPatch and compromise the security of that iOS device.

Leave a Reply

Your email address will not be published. Required fields are marked *