TrollStore was released on 3rd September 2022 as a revolutionary new iOS tool that lets users install any application permanently on a non-jailbroken device. This is one feature that threat actors have been waiting for a long time.
With the arrival of TrollStore, iOS devices’ security is severely threatened. For your information, device jailbreaking means modifying the software to remove restrictions from the operator or manufacturers.
Why is TrollStore a Threat?
That’s because, due to Apple’s policies, the distribution of modded applications was almost impossible than the actual modding process. The tool impacts all iOS versions from iOS 14.0 to 15.4.1.
On GitHub, its developers explained that,
“TrollStore is a permasigned jailed app that can permanently install any IPA you open in it. It works because of the CoreTrust bug that ONLY affects iOS 14.0 – 15.4.1 (15.5b4). NOTE: TrollStore will NEVER work on anything higher than iOS 15.5 beta 4 (No not on iOS 15.5, not on iOS 15.6, and certainly not on iOS 16.x), please stop asking!”
According to GuardSquare, combining two newly discovered vulnerabilities (CVE-2022-26766 and CVE-2021-30937), TrollStore helps an adversary obtain root privileges and sign the tool with arbitrary entitlements. Therefore, running the app with arbitrary permissions/characteristics becomes possible.
GuardSquare security researcher Jan Seredynski explained in their blog post that before the introduction of this tool, modded app users used to jailbreak their devices or use different approaches to install repackaged applications.
But, TrollStore takes away this effort and dramatically reduces the need to install modified apps as the user doesn’t need to jailbreak the device. There are serious repercussions for app developers because jailbreak detection would no longer remain a “valid stopgap to mitigate the majority of repackaging efforts,” Seredynski wrote.
Moreover, most common repackaging detection solutions wouldn’t detect the issue because of the CVE-2021-30937 vulnerability that allows an adversary to sign the app with an arbitrary BundleID or TeamID.
How to Mitigate the Threat?
It is essential that repacking detection solutions expand their boundaries beyond common verification tools such as TeamID and BundleID, for instance, iXGuard. They must verify additional indications of composition because TrollStore re-signs the app with a new certificate.
Furthermore, it is important to detect the actual modifications to application assets/codes. Finally, multiple security layers must ensure maximum mobile app security.