iPhone security flaw shows potential for App Store malware

It turns out the Apple store isn't all that secure.

The iPhone App Store has a reputation for rock-solid security, but that rep took a hit this week when an app that could run unauthorized code and control phones remotely was released to the public.

Luckily, this bad app was released for research purposes--not malicious ones.

Security researcher and famous Mac hacker Charlie Miller demonstrated an iPhone security flaw using a dummy stock ticker app that Apple unwittingly accepted into the App Store. The app was able to call a remote computer, which could then download unsigned code to the iPhone, harvest sensitive data, and trigger actions such as vibrations and ringtones.

Apple has already removed the program from the App Store, and has terminated Miller's developer license, Forbes reports.

Miller plans to describe the flaw in detail at the SysCan conference in Taiwan next week, but the gist is that mobile Safari's "Nitro" JavaScript engine, released with iOS 4.3, requires the privilege of running unapproved code in a region of the iPhone's memory. Miller's exploit extends this privilege to other apps, which are usually barred from running unapproved code in the same way as Safari for security reasons.

iPhone users needn't panic; the offending app is already gone, and Miller expects Apple to squash the security bug to prevent legitimate attacks. Still, this exploit proves that the App Store's strict security measures aren't impenetrable. Security researchers have been saying this for years, but Miller has actually demonstrated it in the real world.

Follow Jared on Facebook, Twitter or Google+ for even more tech news and commentary.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Appleapple iphone

More about AppleFacebookGoogleNewman

Show Comments
[]