TrollStore enables users to install any apps on non-jailbroken iOS devices

A new iOS tool called TrollStore has been released, which enables users to install any app on their non-jailbroken device permanently.

According to mobile application protection company Guardsquare, while this might sound trivial, due to Apple’s policies, on iOS, distributing modded apps is often more challenging than actually modding them.

TrollStore was released on 3 September and affects all iOS versions between iOS 14.0 and iOS 15.4.1. It combines two recently discovered CVEs, namely CVE-2022-26766 and CVE-2021-30937, to gain root privileges and sign the application with arbitrary entitlements.

“Effectively, this means that an attacker can run the application with arbitrary permissions and properties,” said Jan Seredynski, a security researcher and pentester at Guardsquare.

Before TrollStore came along, users of modified application versions would usually jailbreak their devices or use one of a few other approaches to install repackaged applications. Jailbreaking a device means modifying it to remove restrictions imposed by the manufacturer or operator.

Most options each had significant downsides, therefore, jailbreaking was often the preferred approach. Because of this, a lot of applications have been using jailbreak detection not just to verify execution environment integrity but also to mitigate repackaging threats.

Effectively, this means that an attacker can run the application with arbitrary permissions and properties.

Jan Seredynski, a security researcher and pentester at Guardsquare.

With TrollStore, the effort needed to install modified apps has been dramatically reduced, as everyone can now install modified applications without having to jailbreak their device, he explains.

“For an application developer, this now means that jailbreak detection is no longer a valid stopgap to mitigate the majority of repackaging efforts. What's worse, with TrollStore, most of the common repackaging detection solutions won't detect an issue either. This is due to the CVE-2021-30937 vulnerability which enables an attacker to sign the app with an arbitrary TeamID and BundleID.”

TrollStore resigns the app with a completely new certificate and entitlements.

This means that today’s repacking detection schemes must now expand beyond some form of runtime TeamID and BundleID verification Tools such as iXGuard, and verify additional indications of authorship.

They will also need to detect the actual modifications to application code and assets.

Seredynski says as always, incorporating multiple layers of protection is key to effective mobile application security. “TrollStore and the accompanying CVEs should prompt developers to rethink their view of mobile app security, particularly when it comes to trusting existing system guarantees, such as the integrity of the TeamID and BundleID signature fields.”

TrollStore is a great example of how these assumptions may be broken at any time, leaving your apps vulnerable. “Developers should implement multi-layered and comprehensive protections and not rely solely on system ‘guarantees’ or public tricks on Github.”