Skip to main content

iOS Bug Allows Malware to Be Sold in Apple App Store

According to Denver-based security consultant Charlie Miller, the Apple App store is vulnerable to infiltration by malware apps that can pose a significant risk to Apple customers. Miller, 4-time winner of the Pwn2Own hacking contest and an employee of security consulting firm Accuvant, managed to submit and gain Apple's approval to sell an app that exploited a previously unknown iOS bug.

The app, a fake stock ticker called "Instastock", works by exploiting an exception Apple made for the Safari browser with iPhone 4.3. Previously, all apps had to be signed in to its e-mart; any code not signed is subsequently rejected by iOS. With iPhone 4.3, the Safari browser itself  - functionally similar to any other app - was excluded from that requirement in order to expedite the execution of Javascript execution. Miller's fake stock ticker app spoofed Safari code, tricking iOS into waving it through customs, so to speak. Once installed, "Instastock" pings a server at Miller's home and requests to download additional software, proving that the App Store can be used to distribute malware to unsuspecting customers with surprising ease.

Though Miller may have done Apple an enormous favor by identifying an enormous vulnerability and making it public, a move likely to help Apple avoid the fate of the Android market, which has had a notorious problem with malware apps in the last year, Apple isn't having it. Yesterday, Miller tweeted that he'd been kicked out of Apple's iOS developer program. Miller claims to have informed Apple of the flaw in October, but didn't warn them about putting the App for sale (a move he insists was necessary to prove the flaw's seriousness).

He has now been officially banned from the iOS developer program for one full year. Probably for the best, as not having to worry about people helping to identify potential threats to their customers will give Apple more time to pursue vicious legal action against tiny competitors.