Researcher demos iOS security flaw via App Store app
One of the benefits of Apple’s App Store model is the security it brings to the iOS platform. Since Apple approves each and every application that’s available for download, the chances of a malicious piece of software making it to an actual device are slim—but not impossible. For example, Forbes reports that one security researcher published a seemingly innocuous app that actually contained an exploit, allowing him to run unauthorized code as a demonstration.
The name Charlie Miller will be familiar to anybody who follows Mac security. Currently employed as a researcher by Accuvant, Miller has over the last several years discovered several vulnerabilities on Apple’s platforms, including an iPhone flaw that could be exploited via SMS, which Apple quickly moved to patch.
To demonstrate this vulnerability, Miller submitted an app, InstaStock, to the App Store. While the application, a stock tracker, functioned as expected, it could also take advantage of the security flaw to make a connection to Miller’s server, allowing him access to the device’s hardware functions and data. Apple approved the application in September, but it wasn’t until this week that Miller showed off a video of himself exploiting the vulnerability. In the demo, Miller used the exploit to make the phone vibrate and to access its Address Book data.
Unsurprisingly, Apple quickly pulled the app from the store and, according to Miller’s Twitter posts, revoked his Developer Program access for a year. The researcher says that while he did inform Apple of the vulnerability several weeks ago, he did not tell the company that an app with the exploit was live on the store.
Miller plans to demonstrate the exact nature of the vulnerability at next week’s SysCan security conference in Taiwan. Apple did not immediately respond to a request for comment about when a patch could be expected. Earlier this month, though, the company promised an upcoming iOS update that would fix battery issues; it’s possible that this update, expected within the next few weeks, may also patch this security vulnerability.