One of the benefits of Apple’s App Store model is the security it brings to the iOS platform. Since Apple approves each and every application that’s available for download, the chances of a malicious piece of software making it to an actual device are slim—but not impossible. For example, Forbes reports that one security researcher published a seemingly innocuous app that actually contained an exploit, allowing him to run unauthorized code as a demonstration.
The name Charlie Miller will be familiar to anybody who follows Mac security. Currently employed as a researcher by Accuvant, Miller has over the last several years discovered several vulnerabilities on Apple’s platforms, including an iPhone flaw that could be exploited via SMS, which Apple quickly moved to patch.
Miller’s most recent discovery exploits a gap in the way JavaScript code runs in newer versions of iOS. Specifically, in order to gain a speed boost in JavaScript processing, the Nitro engine that debuted in iOS 4.3 foregoes the requirement for signed code (that is, code that certifies that it does exactly—and only—what it says it does). Though Apple apparently placed other security restrictions in place to prevent an exploit, Miller discovered a hole that allowed him to load arbitrary code and run it.
To demonstrate this vulnerability, Miller submitted an app, InstaStock, to the App Store. While the application, a stock tracker, functioned as expected, it could also take advantage of the security flaw to make a connection to Miller’s server, allowing him access to the device’s hardware functions and data. Apple approved the application in September, but it wasn’t until this week that Miller showed off a video of himself exploiting the vulnerability. In the demo, Miller used the exploit to make the phone vibrate and to access its Address Book data.
Unsurprisingly, Apple quickly pulled the app from the store and, according to Miller’s Twitter posts, revoked his Developer Program access for a year. The researcher says that while he did inform Apple of the vulnerability several weeks ago, he did not tell the company that an app with the exploit was live on the store.
Miller plans to demonstrate the exact nature of the vulnerability at next week’s SysCan security conference in Taiwan. Apple did not immediately respond to a request for comment about when a patch could be expected. Earlier this month, though, the company promised an upcoming iOS update that would fix battery issues; it’s possible that this update, expected within the next few weeks, may also patch this security vulnerability.