iOS security flaw lets signed apps control your phone

Forbes reports that Charlie Miller, a "serial Mac hacker" and Accuvant security researcher, has found an exploit that allows a signed iOS app to phone home to a remote computer, which can than steal the user's photos, read contacts, make the phone play sounds or vibrate, and more. Miller has already created a proof-of concept app that demonstrates this malicious behavior, which was available on Apple's App Store until it was pulled earlier today.

Miller's sleeper app was called InstaStock and purported to be a benign stock ticker tracker. Though Apple pulled the app down pretty quickly as news of the exploit got out, screenshots and the short description of the app can still be seen at AppShopper. Miller was also promptly kicked out of the iOS developer program. He plans to demonstrate the exploit at the SysCan conference in Taiwan next week.

The flaw affects iOS versions 4.3 and later. Starting in version 4.3, Apple allowed JavaScript code to run on a much deeper level of the device's memory to increase the speed of the iOS web browser. This speed increase had required Apple to create an exception for the browser to run unapproved code in a region of the device's memory - something that was not possible in earlier versions. Miller then found a bug that let him use that exception to run any application he wanted.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” Miller said. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

Quite the scary thought, but expect Apple to patch this exploit very quickly. While the "walled garden" approach has served Apple - and other company's platforms - fairly well thus far, this latest news is a stark reminder that even the most well-guarded systems will still have holes waiting to be discovered.

Watch a video of the exploit in action below:

Report a problem with article
Previous Story

China wants Internet police

Next Story

More reasons as to why Windows Phone needs dual-cores

15 Comments

Commenting is disabled on this article.

ROFL. Every time Apple improves their products, there's always Charlie Miller to remind them there are flaws left.

Aethec said,
ROFL. Every time Apple improves their products, there's always Charlie Miller to remind them there are flaws left.

You know, just saying, but that sentence works just as great, even better actually, if you exchange "Apple" with "anyone" or "any company".

This is awesome. I'm not 100% sure but this might be one of the first of its kind in the wild exploits that someone has proven to be quite damaging to the end user if it was used by a malicious hacker.
I commend this guy for finding and demonstrating this and hope he continues to do this kind of research, after all this kind of thing is what keeps a platform so secure.

Yeah, but hearing on the news that "someone released a virus for the iPhone, but the program was removed and the person is no longer a developer", looks much better than "someone released a virus for the iPhone, Apple to release a security update later this month to fix the flaw".

It's all about the marketing...

GreyWolf said,
Pretty stupid kicking him out of the developer program instead of working with him.

Agree, but its Apple! That's the way they work

GreyWolf said,
Pretty stupid kicking him out of the developer program instead of working with him.

The guy found a flaw and created a trojan using it, why shouldn't Apple kick him out of the developer program?

It's famed security researcher Charlie "Pwning iDevices annually @ Pwn2Own since '07" Miller they're talking about. He openly competes at conventions, & publicly discloses his research findings to the respective IP owner(s) beforehand. Besides, the trojan was purely a proof-of-concept application... It. Wasn't. Malicious. <check the source article>

The_Decryptor said,

The guy found a flaw and created a trojan using it, why shouldn't Apple kick him out of the developer program?

Without people like him testing the devices capabilities and finding these flaws then half the patches would still not be patched or patched in alot less time because "Apple" say not many people know about this bug. If it wasn't public then how would you even know about this exploit? Lets look at worse case scenario, someone else finds this bug does not make it public does not report it and steals all your personal and private information how do you feel now? Now imagine this app is downloaded a million times thats a million peoples information.

Why shouldnt apple kick him as a developer, because without him working on these types of things alot more people would take advantage and steal your information. Apple is ment to care about your security and always brag about "no viruses" yet i read more and more "virus alert", "exploit found" and its people like miller than find them, report them and apples response is always the same. "Oh crap, lets kick them from the programme this shows were doing something good!" yet without him there nothing fact!

The_Decryptor said,

The guy found a flaw and created a trojan using it, why shouldn't Apple kick him out of the developer program?

Because Apple knows full well that he's a white-hat hacker that specializes in their operating systems.

He stopped being a white hat hacker the minute he created a trojan horse using his exploit and spread it around.

Do we call normal trojan horse makers white hats because they spread their trojans?

The_Decryptor said,
He stopped being a white hat hacker the minute he created a trojan horse using his exploit and spread it around.

Do we call normal trojan horse makers white hats because they spread their trojans?


So your saying you would of preferred someone else to find this exploit and abuse it rather than Miller who exposed it and warned people like yourself?

Now thats funny, I love apple fan boys and there idiocy.

And Boom! That may be a reason for people to update the iOS regardless if they are jailbroken. You really don't want to have that flaw on your device. I mean i can also see it as a way to maybe jailbreak.