Hacker Uncovers Serious iOS Security Flaw

By , Nov 7, 2011

If there’s one thing about iOS that even the skeptics can agree on, it’s how much more secure it is than Android. Several security firms have found that Apple’s mobile platform has far less malware than its Google-backed competitor.

The reason behind this is Apple’s “walled garden” approach it takes with app approvals. Applications are thoroughly screened and must meet certain criteria before they are allowed in the App Store. That hasn’t stopped one hacker extraordinaire from finding a really nasty bug…

Forbes is reporting that infamous hacker Charlie Miller has found a way to hide malicious code inside an application that is undetectable to App Store screeners. You might recognize Miller from his previous iPhone exploits, and he’s also won several Pwn2Own competitions.

Forbes explains his latest find:

“At the SysCan conference in Taiwan next week, Miller plans to present a method that exploits a flaw in Apple’s restrictions on code signing on iOS devices, the security measure that allows only Apple-approved commands to run in an iPhone or iPad’s memory. Using this method—and Miller has already planted a sleeper app in Apple’s App Store to demonstrate the trick—an app can phone home to a remote computer that downloads unapproved commands onto the device and executes them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.”

The sleeper app that the article is referring to is called Instastock. It’s described as a simple list of stock tickers, but it does so much more than that. The app communicates with Miller’s home server, pulling down and executing his custom commands at will. Watch:

Instastock has since been removed from the App Store. In fact, The Next Web is reporting that Apple has removed Miller from the iOS dev program all together. The hacker responded to the move on Twitter, saying that it “feels a bit heavy handed, I miss Steve.”

Miller isn’t revealing his bug until his SysCan presentation next week. He wants to give Apple more time to patch the exploit before revealing it to the public — noting that the flaw could reduce the security of the iOS platform to that of Android. Ouch.

Forbes has reached out to Apple for a comment regarding Miller’s find, but has yet to hear back from them. Hopefully we’ll get word of a fix soon, given how dangerous the issue is. We’re just glad Charlie Miller uses his extraordinary talents for good instead of evil.

  • Share:
  • Follow:
  • Anonymous

    Apple. Hire this guy.

  • http://www.facebook.com/reanimationxp Drew Alden

    Apple banning his account is retarded.. and I wish he gave some more details on what exactly he’s exploiting to do this. Apple’s app review process was supposed to run through every possible method and check for things like this.

  • http://twitter.com/iphoneblogr iphoneblogr

    OMFG He’s wearing a “Buy More” shirt hahahah I love Chuck!!

  • http://www.facebook.com/profile.php?id=100000320151996 Sergio Jiménez

    i want my mommy :(

  • http://twitter.com/xTHAxKCxKlowNx Danthony

    Apple needs to fix this soon

  • http://www.idownloadblog.net/ JailBreak101

    Why cant we get him create an untethered ios5 jailbreak… Possibly our new hero!
    This guy is smart!!!

    • http://www.facebook.com/people/John-Diakogiannis/1209608266 John Diakogiannis

      it would be so funny if we could download a app from the appstore and then have it jailbreak and unteather your device. that would be a kick right the nuts for apple.

    • http://twitter.com/ioscat Bradley Thomas

      Exactly. He should do this definentaly. “Meat produce”.

  • http://www.facebook.com/andres.marrero2 Andres Marrero

    Pretty scary. And to think that iphone is the most secure device out there and see stuff like this it makes you think otherwise =/

  • http://twitter.com/AWonton aWonton

    Yeah, I wish it had spread across the jailbreak community first so we could get an app store downloaded jailbreak, would have been limited time only but easily one of the most hilarious jailbreaks evar!

  • http://www.facebook.com/profile.php?id=100002164516084 Little Buck

    i just got a app doing this to it was a free one with 100 downloads and 0 rates or views and when i downloaded it my ipod started going hay wire so i deleted it and rebooted it and its working fine now

  • http://twitter.com/ic0dex ic0edx

    I wanna be this guy!

  • Antonio Castro

    there goes the jailbreaks, thanks dude…but he still violated apple’s term and conditions so he got banned…maybe they’ll allow him back, as probably the security folks at apple didn’t talk to each other and one terminated his account because of the code he ran…anyway, hope this doesn’t stop the jailbreaks….

  • http://twitter.com/YoungGreen83 Keith Green

    Somebody tell him to make that app download cydia so we can tweak our phones.
    He was right there!!

  • http://www.facebook.com/profile.php?id=100000041129068 John Angelo Moraitis

    Apple was stupid to ban this guy. I mean really. He is aelping apple. If he wanted to use this for evil why the heck would he make a video!!!

  • Anonymous

    Apple need to realize that biteing the hand that feeds you is a mistake
    afterall miller could have sold the exploit causing apple to lose new customers and old banning him is a bit harsh
    I have a feeling that when Steve was at the helm of apple these things were treated with respect and encouraged to help apple but closing the door on him might prevent other people coming forward with future exploits that will cause problems :-(

  • http://www.facebook.com/profile.php?id=100000606372701 David Canfield

    holy shits hyer the mother !@#$%^

    • http://www.unitedworx.com Paris Paraskeva

      This is not much different from the pdf flaw that allowed you guys to jailbreak you device a year ago. instead of the payload being send by a website its being send by a remote server via an app already in the app store.

      i am sure apple will fix this soon enough, they are fast on patching this sort of stuff, removing the app and developer account altogether says they are are serious about it!

  • http://twitter.com/jnichols515 John Nichols

    They should hire him, not kick him out of dev. Duh!

  • http://twitter.com/jnichols515 John Nichols

    They should hire him, not kick him out of the dev pool. Duh!
    Microsoft hired a college kid, on the spot, that hacked there servers years ago. Bill Gates flew into the little town and hired the kid himself!

  • Ryan Hobbs

    Trying to understand why he went about this the way he did. Does Apple typically put their head in the sand when confronted with iOS vulnerabilities? I haven’t noticed that, but maybe I’ve missed something. The point I’m making here is that he was on the team. Why couldn’t he have just brought it to the attention of Apple in a less dramatic fashion? This seems like a publicity stunt designed for personal notoriety, of course with the added benefit of identifying a weakness. I could be wrong but it seemed like a heavy handed tactic, usually reserved for companies that have to be forced into admitting security issues exist. Call me crazy but if someone on my team chose to handle a security vulnerability in our products in this way I would probably fire them as well. Just don’t see how this course of action was necessary for him to get the issue addressed and remediated.

  • Ryan Hobbs

    Trying to understand why he went about this the way he did. Does Apple typically put their head in the sand when confronted with iOS vulnerabilities? I haven’t noticed that, but maybe I’ve missed something. The point I’m making here is that he was on the team. Why couldn’t he have just brought it to the attention of Apple in a less dramatic fashion? This seems like a publicity stunt designed for personal notoriety, of course with the added benefit of identifying a weakness. I could be wrong but it seemed like a heavy handed tactic, usually reserved for companies that have to be forced into admitting security issues exist. Call me crazy but if someone on my team chose to handle a security vulnerability in our products in this way I would probably fire them as well. Just don’t see how this course of action was necessary for him to get the issue addressed and remediated.