iOS security flaw lets signed apps control your phone

Forbes reports that Charlie Miller, a "serial Mac hacker" and Accuvant security researcher, has found an exploit that allows a signed iOS app to phone home to a remote computer, which can than steal the user's photos, read contacts, make the phone play sounds or vibrate, and more. Miller has already created a proof-of concept app that demonstrates this malicious behavior, which was available on Apple's App Store until it was pulled earlier today.

Miller's sleeper app was called InstaStock and purported to be a benign stock ticker tracker. Though Apple pulled the app down pretty quickly as news of the exploit got out, screenshots and the short description of the app can still be seen at AppShopper. Miller was also promptly kicked out of the iOS developer program. He plans to demonstrate the exploit at the SysCan conference in Taiwan next week.

The flaw affects iOS versions 4.3 and later. Starting in version 4.3, Apple allowed JavaScript code to run on a much deeper level of the device's memory to increase the speed of the iOS web browser. This speed increase had required Apple to create an exception for the browser to run unapproved code in a region of the device's memory - something that was not possible in earlier versions. Miller then found a bug that let him use that exception to run any application he wanted.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” Miller said. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

Quite the scary thought, but expect Apple to patch this exploit very quickly. While the "walled garden" approach has served Apple - and other company's platforms - fairly well thus far, this latest news is a stark reminder that even the most well-guarded systems will still have holes waiting to be discovered.

Watch a video of the exploit in action below:

Report a problem with article
Previous Story

China wants Internet police

Next Story

More reasons as to why Windows Phone needs dual-cores

15 Comments - Add comment