Apple lets malware into App Store

Filed Under: Apple, iOS, Malware, Mobile

App Store crackedFormer NSA analyst and serial Apple hacker Charlie Miller has discovered a serious security flaw in iOS, the operating system that powers iPhones and iPads.

iOS prevents apps from acting maliciously by only allowing code that has been signed by Apple to carry out sensitive tasks. It seems that Miller has found a way to break through iOS's security straitjacket and get iOS devices to run unsigned code.

Armed with this knowledge a hacker could write an app that allows them to take control of victims' phones and tablets; stealing or destroying data, sending text messages or even making them vibrate at the hacker's whim.

And that's exactly what Miller did.

Having discovered a way to circumvent iOS's code signing restrictions he wrote an app that would bypass Apple's app review process.

The app was able to pass the review process because it didn't contain anything suspicious for the review to discover. Instead his app downloaded the malicious code later, once it had been installed on a phone or tablet.

In any other app this newly downloaded code would have been prevented from running because it wasn't signed.

Any users who downloaded his app, a stock market monitoring tool called InstaStock, would have been unaware that once installed it downloaded a payload of malicious code that gathered up their device’s data and sent it over to Miller’s server.

Thankfully Miller is one of the good guys and the purpose of his app wasn't criminal but to prove his point in a dramatic fashion.

Apple, being no fans of such theatrics, have removed the app from the App Store and terminated Miller's developer license. Expect a fix from Apple in short order too.

Although you can't download the app any more you can see Miller demonstrating control over a hijacked iPhone in his YouTube video.

Arguably just as important as the discovery of a security flaw in iOS is the fact that Miller got his app past Apple's famously strict App Store vetting process.

In doing so he compromised one of Apple's most significant advantages over their fierce rival Google; the safety of their apps and the App Store.

While Google's Android apps can be downloaded from pretty much anywhere, apps for the iPhone and iPad can only be installed via Apple’s official App Store. Each app is individually reviewed before making it in to the store.

Apple's gatekeeper approach hasn't been to everyone's liking but it has been a significant factor in protecting Apple devices from the levels of malware Android is experiencing. Now it seems the gatekeeper’s been caught snoozing.

So what can you do to stay safe?

The prospect of viruses running rampant through the App Store is still remote but iPhone and iPad owners cannot afford to languish behind Apple’s reputation. Graham Lee's three free tips to better protect your iPhone are a good start to defending against the common problems users are likely to face.

, , , , ,

You might like

4 Responses to Apple lets malware into App Store

  1. NetD · 1078 days ago

    Title of the article severely misleading.

  2. The headline is a little misleading. The app store itself wasn't compromised was it? Just an app. This is more of a trust issue. Do you inherently trust every app on there just because it is there?

    • markstockley · 1074 days ago

      On re-reading it I agree about the headline - I've changed it now.

      The App Store infrastructure wasn't compromised no. A flaw in iOS allowed a developer to pass malware undetected through the App Store review process. I understand that the code-signing bug was fixed in the most recent update.

      On the trust issue I was speaking to a couple of Average Joe iPad users this weekend who were completely and utterly shocked by the idea that malware could get into the App Store. It's just not part of their world view or experience and that is in large part because of the ability of the App Store to screen out bad things.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Mark Stockley is the founder of independent web consultancy Compound Eye and he's interested in literally anything that makes websites better. Follow him on Twitter at @MarkStockley