Banking Apps Caught Using Unauthorized iOS APIs to Detect Jailbreaks

Recent technical analysis has uncovered a concerning practice among certain banking applications on iOS. These apps have been found to employ unauthorized private APIs to detect jailbroken devices and the presence of TrollStore, a popular sideloading tool. This discovery has raised significant privacy and security concerns within the iOS development community.

The Unauthorized Detection Technique

Security researchers at Verichains, a finance security firm, have identified at least two banking apps - BIDV SmartBanking and Agribank - utilizing a private iOS API to scan for specific applications on users’ devices. This API, known as SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions, is not intended for public use and violates Apple’s App Store guidelines.

How It Works

The banking apps employ this private API to check for the presence of various applications, including:

• TrollStore
• Package manager apps (e.g., Sileo, Zebra)
• Jailbreak tools (e.g., Dopamine)
• Other utilities like AppStore++

To evade detection during the App Store review process, the apps use XOR encryption to obfuscate the API calls and targeted app identifiers. This obfuscation technique temporarily succeeded in hiding the unauthorized behavior from Apple’s automated checks.

Implications for User Privacy and Security

The use of private APIs to scan for installed apps raises several concerns:

1. Privacy violation: Users have not consented to their devices being scanned for other installed applications.
2. Sandbox breach: iOS’s sandboxing is designed to prevent apps from accessing information about other installed apps.
3. Potential for abuse: While currently used to detect jailbreaks, this technique could potentially be expanded to gather other unauthorized data.

App Store Policy Violations

Apple’s App Store Review Guidelines explicitly prohibit the use of private APIs. Specifically:

• Section 2.5.1 mandates that apps may only use public APIs for their intended purposes.
• The guidelines emphasize maintaining app stability, protecting user privacy, and upholding platform security.

By using the SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions API, these banking apps are in clear violation of these policies.

Potential Consequences

The discovery of this unauthorized API usage could lead to serious repercussions for the offending apps:

1. App Store removal: Apple may remove the apps until the violations are addressed.
2. Loss of user trust: Users may lose confidence in the apps’ commitment to privacy and security.
3. Legal and regulatory scrutiny: Depending on jurisdiction, this behavior could attract attention from data protection authorities.

Industry Reactions

The iOS development community has expressed concern over this discovery. Many developers argue that while protecting against jailbroken devices is a valid security concern for banking apps, using unauthorized methods to do so is unacceptable and sets a dangerous precedent.

Alternatives for Jailbreak Detection

Banking apps have legitimate reasons to be cautious about jailbroken devices, as they can pose increased security risks. However, there are approved methods to enhance app security without resorting to private API abuse:

1. Use Apple’s DeviceCheck API: This official API allows developers to assess the integrity of a device without violating privacy.
2. Implement runtime integrity checks: Apps can use approved methods to detect if they’ve been tampered with or are running in an unsafe environment.
3. Utilize secure enclaves: For sensitive operations, leverage hardware-backed security features available on modern iOS devices.

What’s Next?

As this story develops, several key questions remain:

1. How will Apple respond to these App Store violations?
2. Will other banking apps be found using similar techniques?
3. How can the balance between app security and user privacy be better maintained?

The iOS security landscape continues to evolve, with developers, platform holders, and users all playing crucial roles in maintaining a secure and privacy-respecting ecosystem.

This incident serves as a reminder of the ongoing challenges in mobile app security and the importance of adhering to platform guidelines. As users, staying informed and cautious about app permissions remains crucial in protecting our digital privacy.