A major security flaw in Apple’s iOS operating system that could allow hackers to remotely gain unauthorized access to an iPhone, iPod touch or iPad has been uncovered by a security expert. Described by Forbes as a “serial Mac hacker,” Accuvant LABS computer security researcher Charlie Miller has uncovered a security flaw that allows hackers to build apps that look legitimate and pass through Apple’s App Store approval process. Using a code-signing vulnerability, however, the malicious apps will automatically connect to a remote server following installation and download new unapproved code that might grant hackers access to system files, personal data and a host of unauthorized functionality. Read on for more.

Apple’s closed App Store approval process has been touted by security experts and pundits alike as a much more secure option than an open system like Google’s Android Market. While Apple has been largely successful in keeping malicious software out of its iOS App Store, this newly revealed vulnerability illustrates that no system is ever fully secure. “Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” Miller told Forbes in an interview. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

Miller isn’t just talking the talk, either. The security expert actually planted an app in Apple’s App Store that utilizes the exploit he detailed. Miller submitted the app to Apple for approval using his developer account and, following Apple’s standard testing and approval process, the app became available in the App Store. Miller then recorded a video illustrating some of the many functions a hacker would be able to perform using this exploit, which include executing a payload that will give the hacker complete control of an iOS device from a remote terminal.

The security expert’s app has since been removed from the App Store and his developer account has been suspended. Miller’s video follows below. Miller plans to describe the flaw in detail at the SysCan conference in Taiwan, but the gist is that mobile Safari’s “Nitro” JavaScript engine, released with iOS 4.3, requires the privilege of running unapproved code in a region of the iPhone’s memory. Miller’s exploit extends this privilege to other apps, which are usually barred from running unapproved code in the same way as Safari for security reasons.

iPhone users needn’t panic; the offending app is already gone, and Miller expects Apple to squash the security bug to prevent legitimate attacks. Still, this exploit proves that the App Store’s strict security measures aren’t impenetrable. Security researchers have been saying this for years, but Miller has actually demonstrated it in the real world.

It’s not really the smartest move as I’m pretty sure anyone as smart as Charlie Miller still has plenty of options – use another person’s account, sign up another account with a different identity, hack the phone without the developer program access and so on..Really it’s quite a harsh move from Apple and it’s not going to make them any friends in the security industry.

In a way though, you have to agree that Miller did violate the very specific developer program agreement by hiding the PoC inside a legitimate application. That probably wasn’t his smartest idea, but then again it’s helping Apple and he’s not doing it in a malicious way to infect people – he’s doing it as a security researcher.

Apple should be more proactive on working with people like this, people who are actually fixing bugs in their products for free and improving the user experience. It’s the way Apple operates though, secretive, exclusive, domineering etc. If you don’t do things their way, screw you. The way in which Miller uncovered the flaw once again shows his technical brilliance – something which Apple really should be harnessing rather than turning away.

A lot of people noticed changes with iOS 4.3, but couldn’t actually figure out what was going on. Well that’s what we know in the public realm anyway, no doubt the bad guys had their eyes on it and were digging in with much more malicious exploits.

It basically seems like a way to bypass any kind of code validation by Apple and execute arbitrary code from an attack server – dangerous indeed.

This entry was posted on Monday, November 14th, 2011 at 06:44 by dsmith and is filed under Apple, Exploit, Flaw, iOS, iPad, iPhone. You can follow any responses to this entry through the RSS 2.0 feed.