Apple has enjoyed a stellar record for the security of the applications distributed through its iTunes store, but a security researcher has just egged the house. Charlie Miller, principal research consultant for security consultant Accuvant discovered a bug in Apple's iOS 4.3 that allowed him to build an app that when downloaded, caused the user's phone to connect back to his server. That server could then download additional software to the user's phone.
This exploit is what is called a "proof-of-concept", and no malicious code was actually downloaded; Mr. Miller simply proved it could be done. The more embarrassing part for Apple was that they had approved Miller's app, which he called "Instastock". Key to that security is the fact that Apple digitally signs all apps carried in the iTunes store, and iOS refuses to run any app that is not signed.
What Mr. Miller discovered was that with iOS 4.3, Apple made an exception for the Safari browser that would apparently speed up JavaScript execution. That vulnerability exists in every release since 4.3, including the new 5.0. The trick was to fake iOS into thinking Instastock was actually Safari.
The security blanket of iTunes is one of the big advantages Apple could cite over Android, which has had repeated problems with malware infected apps showing up in the Android store. The exploit is not a trick anyone could have pulled off, as this Miller fellow has some bona fide credentials, being the only four-time winner of the annual Pwn2Own hacking contest. What he learned quickly was that Apple does not like egg on its face.
Shortly after Mr. Miller made his announcement he received an email from Apple informing him that we was out of Apple's iOS developer program, and he would be banned for a full year. He contends that he had informed Apple of the vulnerability three weeks earlier, he just didn't tell them he'd actually placed his app in the store.
We can be fairly sure that Apple will fix this problem post-haste, but it is another important reminder that even the most secure of systems may still have these little surprises hiding in them.
