Security expert Charlie Miller discovers app store exploit, kicked out of iOS developer program

Wed, Nov 16, 2011


When it comes to iOS and Mac security vulnerabilities, former NSA employee Charlie Miller has proven quite adept at finding them, sometimes seemingly out of thin air. Back in 2009, for example, Miller revealed how he was able to remotely take over any iPhone with just a text message comprised of a single character.

More recently, Miller discovered a flaw in the way Apple’s iPhone handles cosigning, the way the iPhone protects you from malware.

Simply put, Miller found a way to get an app downloaded from the app store to download new code note vetted by Apple. And to prove it, Miller actually submitted such an app to iTunes. Once downloaded, the app in question can download and execute code from a remote server enabling someone to do all sorts of michevious things such as stealing a user’s photos and viewing their address book contacts.

Miller became suspicious of a possible flaw in the code signing of Apple’s mobile devices with the release of iOS 4.3 early last year. To increase the speed of the phone’s browser, Miller noticed, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, he realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible. (Apple uses other security restrictions to prevent untrusted websites from using that exception to take control of the phone.)

The researcher soon dug up a bug that allowed him to expand that code-running exception to any application he’d like. “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

“With this bug,” Miller explains in a YouTube video, “you can’t be assured of anything you download from the App Store behaving nicely.”

Not surprisingly, once Apple got wind of Miller’s antics, he was promptly kicked out of the iOS developer program. Reacting to the news, Miller was anything but thrilled

“I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”

Interestingly enough, Apple over the past few months has had more of an open mind when it comes to hackers, famously hiring iPhone jailbreaker extraordinaire Nichals Allegra this past Summe

Miller ascribes the difference in approach to Apple’s new management.

“I miss Steve Jobs,” Miller said. “He never kicked me out of anything.”

via Forbes



Comments are closed.

eXTReMe Tracker