AppBleed is a Proof of Concept iOS app that can be used to display the currently installed apps on a device without being restricted by the Sandbox.
How does it work?
By using the Launch Services private API implemented in MobileCoreServices.framework, we can retrieve the list of the currently installed apps on the device, where they are located in the filesystem, their extensions (VPN, widgets, …) and other nice stuff as well.
AppBleed makes use of the PBLMobileCoreServicesHelper class. This class provides a singleton object (a helper) that we can use to query basic stuff from Launch Services (More advanced implementation was not required for this PoC).
PBLMobileCoreServicesHelper includes the required private headers from the MobileCoreServices framework. We also dynamically open the dylib using standard functions provided by the Operating System.
Dynamic linking is a common and simple way to get past the App Store Review. Combined with a proper code obfuscation, and if you make an app that retrieves orders from a Command & Control server, you can submit your app to the App Store and when approved, activate the malicious code and retrieve the data from your users’ devices.
This does not require a jailbreak or some kind of particular exploitation, but can be considered as a threat to user privacy.
/me wants a fix!
Please install iOS 11 as it fixes the issue.
Extra info
Please visit https://github.com/PierreBlazquez/appbleed-ios