Tuesday, November 8, 2011

iPhone Security Bug Lets Innocent-Looking Apps Go Bad

from forbes.com

Apple’s iPhones and iPads have remained malware-free thanks mostly to the company’s puritanical attitude toward its App Store: Nothing even vaguely sinful gets in, and nothing from outside the App Store gets downloaded to an iOS gadget. Now serial Mac hacker Charlie Miller has found a way to sneak a fully-evil app onto your phone or tablet, right under Apple’s nose.

At the SysCan conference in Taiwan next week, Miller plans to present a method that exploits a flaw in Apple’s restrictions on code signing on iOS devices, the security measure that allows only Apple-approved commands to run in an iPhone or iPad’s memory. Using his method–and Miller has already planted a sleeper app in Apple’s App Store to demonstrate the trick–an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” says Miller. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

Update: Apple has terminated Miller’s developer license as a result of his research.

Here’s a link to a video where he demonstrates the security vulnerability.


Miller, a former NSA analyst who now works as a researcher with consultancy Accuvant, created a proof-of-concept app called Instastock to show the vulnerability. The simple program appears to merely list stock tickers, but also communicates with a server in Miller’s house in St. Louis, pulling down and executing whatever new commands he wants. In the video above, he demonstrates it reading an iPhone’s files and making the phone vibrate. Miller applied for Instastock’s inclusion in the App Store and Apple approved the booby-trapped app. (Perhaps the company ought to have been more suspicious of an application in Miller’s name, given that he has hacked practically every device Apple has made since 2007 or so.)

Update: A reader points out that Miller’s application has now been removed from the App Store.

I’ve reached out to Apple for comment but haven’t yet heard from the company. Given how seriously this exploit could affect the company’s crown jewels, expect a patch very soon.

Miller became suspicious of a possible flaw in the code signing of Apple’s mobile devices with the release of iOS 4.3 early last year. To increase the speed of the phone’s browser, Miller noticed, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, he realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible. (Apple uses other security restrictions to prevent untrusted websites from using that exception to take control of the phone.)

The researcher soon dug up a bug that allowed him to expand that code-running exception to any application he’d like. “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Miller won’t say just what that bug is until his talk next week in order to give Apple more time to fix the flaw.

Miller’s exploit in some ways resembles another hack created by John Oberheide in Google’s competing Android operating system. Using a program called Rootstrap, he showed how an innocent-looking Android app could download and run malicious code after making its way onto a user’s phone. (He used a fake Twilight-themed application to demonstrate the potential attack.)
So he wants to tell them abut a vulnerability to better secure their OS and they revoke his dev license. Nice.


  1. Brett™ (not the recent impostor)November 8, 2011 at 3:13 PM

    "So he wants to tell them abut a vulnerability to better secure their OS and they revoke his dev license. Nice."

    I think if he'd have just told them instead of violating his developer agreement, he wouldn't have lost his license.

  2. Waaaahh! He notified Apple and provided a proof-of-concept by testing the vulnerability on his own hardware. He didn't hurt anyone as he clearly could have.

    It's funny. I remember some people on this blog commenting on an earlier post about iPhones being targeted in 2011. Looks like the author of that article was right on multiple occasions so far already.


  3. Yeah, I remember Brett (the asshole, not the cool impostor) and some others calling it "FUD" and saying how it will never happen. Can't wait to see the next iVirus. Also, Consumer Reports scores several Android phones above the 4S.

    I laugh at Apple and it's pathetic little devices.

  4. Brett™ (not the recent impostor)November 9, 2011 at 3:27 AM

    There's a right way and wrong way to be a "white hat" hacker. Charlie blew it.

    This "exploit" can only be done by a registered developer via his own submitted app, which means that the culprit could easily be identified. No malicious hacker would be stupid enough to risk being caught this way. Its not like an attack would be anonymous. This is not a realistic threat.

    Consumer reports are bozos when it comes to reviewing tech. If you look at the reasons they rated some other phones higher than the iPhone, it comes down to a matter of opinion. For example, they made the assumption that larger screens on cell phones are necessarily better (disregarding resolution, I might add). The 3D camera gimmick seemed important to them, and 4G counted highly even though it is not available everywhere, can add cost to your contract, and using it rips through your battery. Whatever. The iPhone 4S will outsell them all.

  5. Sounds like someone's a sore loser. A security hole is a security hole no matter how you try to spin it. You can keep your flawed and glitchy phone, I'll keep my Android.

  6. Brett™ (not the recent impostor)November 11, 2011 at 1:31 AM

    I didn't lose anything, and I'm not sore. Maybe you're the sore loser. Android has been inflicted by much more malware than has the iPhone (not just proofs of concept either). The only reason that an iPhone exploit is news is because it is a relatively rare occurrence.

    One Year Of Android Malware (as of August 15, 2011)

    By all means, keep your Android. No one's asking you to give it up. I'm quite happy with my iPhone, as are millions of other iPhone owners who have made it the best selling smart phone ever.

    By the way, today Apple released a software fix for the battery-draining problem that some had experienced. It also addresses Charlie Miller's exploit.

  7. Brett, you are sore, it show every time you post here. Your lame attempts at delivering an argument are a clear indication that you are reaching for excuses.

    And nice try but Apple's "fix" is failing more than succeeding.