iOS Bug Allows Malware to Be Sold in Apple App Store

According to Denver-based security consultant Charlie Miller, the Apple App store is vulnerable to infiltration by malware apps that can pose a significant risk to Apple customers. Miller, 4-time winner of the Pwn2Own hacking contest and an employee of security consulting firm Accuvant, managed to submit and gain Apple's approval to sell an app that exploited a previously unknown iOS bug.

The app, a fake stock ticker called "Instastock", works by exploiting an exception Apple made for the Safari browser with iPhone 4.3. Previously, all apps had to be signed in to its e-mart; any code not signed is subsequently rejected by iOS. With iPhone 4.3, the Safari browser itself  - functionally similar to any other app - was excluded from that requirement in order to expedite the execution of Javascript execution. Miller's fake stock ticker app spoofed Safari code, tricking iOS into waving it through customs, so to speak. Once installed, "Instastock" pings a server at Miller's home and requests to download additional software, proving that the App Store can be used to distribute malware to unsuspecting customers with surprising ease.

Though Miller may have done Apple an enormous favor by identifying an enormous vulnerability and making it public, a move likely to help Apple avoid the fate of the Android market, which has had a notorious problem with malware apps in the last year, Apple isn't having it. Yesterday, Miller tweeted that he'd been kicked out of Apple's iOS developer program. Miller claims to have informed Apple of the flaw in October, but didn't warn them about putting the App for sale (a move he insists was necessary to prove the flaw's seriousness).

He has now been officially banned from the iOS developer program for one full year. Probably for the best, as not having to worry about people helping to identify potential threats to their customers will give Apple more time to pursue vicious legal action against tiny competitors.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
42 comments
    Your comment
    Top Comments
  • stonedatheist
    Banning a white hat hacker that is helping them find potential threats in their OS? Apple has sunk to a new low.
    20
  • cumi2k4
    Didn't Apple heard of old adage "don't shoot the messenger"?
    20
  • Goldengoose
    Apple and their actions just remind me of a child. Give them advice and they throw it back in your face, have something they don't and they throw a tantrum and ask mummy to sort it (the current state of patents and courts).
    15
  • Other Comments
  • cumi2k4
    Didn't Apple heard of old adage "don't shoot the messenger"?
    20
  • Scanlia
    I thought Apple was controlling and secure....
    3
  • stonedatheist
    Banning a white hat hacker that is helping them find potential threats in their OS? Apple has sunk to a new low.
    20