Ins0mnia Flaw Let Dangerous iOS Apps Run In Background ‘Indefinitely’

Researchers say Ins0mnia flaw could have let malware be distributed through the App Store – before it was patched

Researchers at FireEye discovered a “rare” loophole in iOS that could have allowed attackers to distribute malware through the App Store.

‘Ins0mnia’, which has since been patched by Apple in iOS 8.4.1, allowed a potentially malicious application to run permanently in the background, accessing data and performing other tasks, even if a user closed the app and it was no longer visible in the task switcher.

iPhone and iPad apps can only run in the background for roughly three minutes before the application is terminated by iOS. This safeguard allows apps with legitimate permission to access functions to perform tasks, while preventing others from eavesdropping.

I can’t get no sleep

iPhone 6 4“For example, a music app may have legitimate reason to ask permission to access GPS location and microphone while working on the foreground, but few users would want the app to run in the background to continually monitor GPS locations and recording audio,” said the researchers. “The control by iOS is supposed to prevent such abuse of permissions.”

However Ins0mnia tricked iOS into believing the device was being debugged, meaning the time limit never expired. A piece of malware could have stolen information and sent it to a remote server without a user’s knowledge – not only compromising privacy, but harming performance and draining battery life.

“To fool iOS, a malicious application could leverage ptrace, and utilize the ptrace code that handled the PT_TRACE_ME request to set the flag P_LTRACED and gracefully return 0,” explained FireEye. “By setting the P_LTRACED flag, the application prevented the assertiond process from suspending the malicious application. Note that PT_TRACE_ME was a request made by the traced process to declare that it expected to be traced by its parent.

Apple’s ‘walled garden’

“We also noticed that an application did not need the get-task-allow entitlement to be set to true, nor did it need any other special entitlements or background modes. Unlike other known iOS malware that runs only on jailbroken devices, or must be distributed with Apple Enterprise Certificates, a hypothetical Ins0mnia malware didn’t require anything not allowed by Apple. We believe that such an application had a high probability of passing the Apple Store review, making it a rare loophole for an attacker to distribute malware within Apple’s walled garden.”

While Apple has fixed the vulnerability in question, the company’s attitude towards security has come under scrutiny in recent months following claims Apple has known about major zero-day flaws for months in both iOS and Mac OS X without taking action.

However in general, iOS is considered a far safer platform than Android because of the “walled garden” referred to be FireEye. Apple vets every application that is submitted to the App Store but as recent events have shown, some apps are capable of slipping through the net.

Are you a security pro? Try our quiz!