iOS 5 Security Flaw Exposed as Apple App Store is Hacked
Charlie Miller, a hacker of all things Apple since 2007, has exposed a flaw in the company’s programming that allows a mischievous application on to an iOS device. Apple has responded by revoking his developer's license.
To prove the security flaw, Miller made a deceptive app called Instastock, which was accepted into Apple’s app store. Once it was downloaded to an iPhone, a video Miller made shows the phone being hacked, which includes stealing its contacts and making the phone vibrate.
“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” said the hacker. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely,” he said in his YouTube video.
Miller plans to present the painstaking process he developed in order to hack iOS devices at the SysCan conference in Taiwan next week. He waited to expose the programming flaw so that Apple has time to correct the issue.
The discovery has gained so much attention because of Apple’s notoriously stringent rules regarding third-party developer applications: Apple polices the app store vigorously, and retains the right to delete software at any time.
However, the fact that only one app like this has gotten into the store is a testament to Apple’s protective measures: they clearly work.
Also, just anybody wouldn’t be able to pull off the technological feat Miller did. He is a former National Security Agency analyst, and currently works as a researcher with Accuvant, a consultancy firm.
Miller said he first noticed the problem when iOS 4.3 was released last year, which used unapproved code to speed up the iPhone 4 processing. He investigated the new function then exploited it to allow the iPhone to download unapproved software.
Miller’s prowess emulated that of John Oberheide, who used his Rootstrap code to demonstrate the potential chaos malware can cause on an Android device. But the Android market isn’t nearly as restrictive as Apple’s App Store, making Miller’s success even more of a feat.
”Android has been like the Wild West,” said the hacker. “And this bug basically reduces the security of iOS to that of Android.”
Apple, in response, has revoked Miller’s developer’s license, so he can no longer create software for iOS devices with company permission. They have also pulled Instastock from the App Store.