{
	"id": "55d145ca-afdb-4dda-a608-b26f526fb943",
	"created_at": "2026-04-06T00:12:32.097394Z",
	"updated_at": "2026-04-10T03:21:07.683823Z",
	"deleted_at": null,
	"sha1_hash": "64b86b6599a76aa4e2a3091d93490d49dd8406a2",
	"title": "Jekyll on iOS: When Benign Apps Become Evil",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108462,
	"plain_text": "Jekyll on iOS: When Benign Apps Become Evil\r\nArchived: 2026-04-05 15:47:24 UTC\r\nApple adopts the mandatory app review and code signing mechanisms to ensure that only approved apps can run\r\non iOS devices. In this paper, we present a novel attack method that fundamentally defeats both mechanisms. Our\r\nmethod allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the\r\nApple review process. Once the app passes the review and is installed on an end user’s device, it can be instructed\r\nto carry out the intended attacks.\r\nThe key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by\r\nrearranging signed code. Since the new control flows do not exist during the app review process, such apps,\r\nnamely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.\r\nWe implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched\r\nthe attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the\r\niOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking\r\nphotos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting\r\nkernel vulnerabilities.\r\nNote: Updated version contains the corrected acknowledgements\r\nOpen Access Media\r\nUSENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely\r\navailable to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also\r\nfree and open to everyone. Support USENIX and our commitment to Open Access.\r\nBibTeX\r\n@inproceedings {180384,\r\nauthor = {Tielei Wang and Kangjie Lu and Long Lu and Simon Chung and Wenke Lee},\r\ntitle = {Jekyll on {iOS}: When Benign Apps Become Evil},\r\nbooktitle = {22nd USENIX Security Symposium (USENIX Security 13)},\r\nyear = {2013},\r\nisbn = {978-1-931971-03-4},\r\naddress = {Washington, D.C.},\r\npages = {559--572},\r\nurl = {https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei},\r\npublisher = {USENIX Association},\r\nmonth = aug\r\n}\r\nhttps://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei\r\nPage 1 of 2\n\nPresentation Video\r\nPresentation Audio\r\nSource: https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei\r\n0:00 / 29:32\r\nhttps://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei"
	],
	"report_names": [
		"wang_tielei"
	],
	"threat_actors": [],
	"ts_created_at": 1775434352,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64b86b6599a76aa4e2a3091d93490d49dd8406a2.pdf",
		"text": "https://archive.orkl.eu/64b86b6599a76aa4e2a3091d93490d49dd8406a2.txt",
		"img": "https://archive.orkl.eu/64b86b6599a76aa4e2a3091d93490d49dd8406a2.jpg"
	}
}