Since the App Store’s inception, Apple has been carefully examining applications submitted by third-party developers in order to assure its customers a malware-free experience. Approved apps get signed with Apple’s cryptographic seal, and only than can they be downloaded and run by iPad and iPhone users.
But well-known Mac hacker and researcher Charlie Miller has discovered a flaw in Apple’s restrictions on code signing on iOS devices which would allow attackers to use applications sneaked into the App Store to download and run additional, unsigned code.
According to Andy Greenberg, the bug was introduced in iOS 4.3, as the company allowed Safari (and only Safari) to run unapproved code in order to increase its speed, and Miller found a way of expanding the list of apps that are allowed to do that.
To prove his point, Miller created an app called InstaStock that ostensibly lists stock tickers and submitted it to the App Store. The app was approved by Apple and offered to users. But unbeknownst to the company, the app also contained a hidden payload which takes advantage of the aforementioned flaw.
The app was now capable to “phone home” to a server set up by Miller, from which new code – unapproved by Apple – was downloaded and executed without a hitch. This gave him remote shell access to the device and allowed him to do things like making it vibrate, run a video, and most frighteningly, downloading any file present on it to the server.
Miller, who has managed to sneak the InstaStock app into the App Store back in September, has already notified Apple of the flaw on October 14th.
But, as news that he was planning to demonstrate the attack next week at the SysCan conference in Taiwan broke, Apple reacted immediately: not only has his app been removed from the App Store, but he himself has been booted out of the iOS Developer Program since he violated the agreement that forbids developers to “hide, misrepresent or obscure” any part of the submitted apps.
Miller is, understandably, annoyed by the move. “They went out of their way to let researchers in, and now they’re kicking me out for doing research,” he says. “I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”
I guess that his upcoming demonstration can’t be executed now – unless he has predicted Apple’s reaction and uploaded (or asked someone to upload) a second booby-trapped app.
UPDATE: The flaw has been fixed.