Teh One Who Knocks
11-09-2011, 04:43 PM
By Matt Liebowitz, SecurityNewsDaily Staff Writer
http://i.imgur.com/CjjOp.jpg
Security researcher and ethical hacker Charlie Miller shattered the concept of iOS security yesterday (Nov. 7), revealing to the world that he'd gotten a malicious app approved by Apple and placed in the iTunes App Store.
For his trouble, Apple kicked Miller out of its app developer program. Miller's app is a "proof of concept" and does not harm the iPhone or iPad user, but it shows that Apple's famously stringent iOS security policies are not hacker-proof.
Miller developed InstaStock, an app billed as a program that tracks stock prices in real time. Apple accepted the app in September, and it was in the iTunes App Store until yesterday, just after Miller came clean about InstaStock's true capabilities. Apple promptly removed the app and sent Miller an email telling him he was no longer an approved Apple developer and would have to wait a year before reapplying.
A researcher with the security firm Accuvant, Miller had rigged the app to connect to a server in his St. Louis home and to receive commands to perform a number of devious tasks, including reading an iPhone's files, making a phone vibrate and remotely downloading the pictures and contacts stored on the device of a person running the app.
Miller, Apple's email said, had violated a clause in the license for app developers in which he agreed he would not "hide, misrepresent or obscure any features, content, services or functionality" of apps.
"In their defense, I did break the terms of service," Miller told SecurityNewsDaily.
He wrote on his Twitter page that he had contacted Apple about the security vulnerability three weeks ago, but did not tell them then about the devious app.
"But I didn't hurt anyone, no malicious code was ever put on anyone's phone, and I only did what I needed to do to demonstrate this was a real flaw that could find its way into the App Store," Miller said. "I'm a professional consultant and I was helping Apple secure their device for free on my own time, and they repay me by kicking me out of their program. It's mind-boggling."
Apple's App Store policy is especially strict. Each iOS app undergoes a full security review before it's accepted, and each app is digitally signed so that stock iPhones and iPads will accepts apps only from the iTunes App Store.
The proof-of-concept hack hidden inside Miller's InstaStock app was especially sly, and worked by bypassing security protections Apple builds into iOS devices — the iPhone, iPad and iPod Touch — meant to prevent any code from running on them without Apple's explicit permission. Miller explained in a YouTube video how his InstaStock app subverted the company's code-signing feature.
http://i.imgur.com/CjjOp.jpg
Security researcher and ethical hacker Charlie Miller shattered the concept of iOS security yesterday (Nov. 7), revealing to the world that he'd gotten a malicious app approved by Apple and placed in the iTunes App Store.
For his trouble, Apple kicked Miller out of its app developer program. Miller's app is a "proof of concept" and does not harm the iPhone or iPad user, but it shows that Apple's famously stringent iOS security policies are not hacker-proof.
Miller developed InstaStock, an app billed as a program that tracks stock prices in real time. Apple accepted the app in September, and it was in the iTunes App Store until yesterday, just after Miller came clean about InstaStock's true capabilities. Apple promptly removed the app and sent Miller an email telling him he was no longer an approved Apple developer and would have to wait a year before reapplying.
A researcher with the security firm Accuvant, Miller had rigged the app to connect to a server in his St. Louis home and to receive commands to perform a number of devious tasks, including reading an iPhone's files, making a phone vibrate and remotely downloading the pictures and contacts stored on the device of a person running the app.
Miller, Apple's email said, had violated a clause in the license for app developers in which he agreed he would not "hide, misrepresent or obscure any features, content, services or functionality" of apps.
"In their defense, I did break the terms of service," Miller told SecurityNewsDaily.
He wrote on his Twitter page that he had contacted Apple about the security vulnerability three weeks ago, but did not tell them then about the devious app.
"But I didn't hurt anyone, no malicious code was ever put on anyone's phone, and I only did what I needed to do to demonstrate this was a real flaw that could find its way into the App Store," Miller said. "I'm a professional consultant and I was helping Apple secure their device for free on my own time, and they repay me by kicking me out of their program. It's mind-boggling."
Apple's App Store policy is especially strict. Each iOS app undergoes a full security review before it's accepted, and each app is digitally signed so that stock iPhones and iPads will accepts apps only from the iTunes App Store.
The proof-of-concept hack hidden inside Miller's InstaStock app was especially sly, and worked by bypassing security protections Apple builds into iOS devices — the iPhone, iPad and iPod Touch — meant to prevent any code from running on them without Apple's explicit permission. Miller explained in a YouTube video how his InstaStock app subverted the company's code-signing feature.