Hacker reveals iOS malware vulnerability, gets punished

A researcher and “serial Mac hacker" has discovered a new flaw in Apple Inc.’s iOS operating system that allows the sneaking of malware into an Apple device such as an iPhone or iPad. But whistleblower Charlie Miller, who made the flaw public, found himself kicked out of Apple’s Developer program and his apps removed from Apple’s App Store, for his troubles. “Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check. With this bug, you can’t be assured of anything you download from the App Store behaving nicely," Miller said in an article posted on Forbes. Forbes said Miller plans to present at the SysCan conference in Taiwan next week a method that exploits the flaw in Apple’s restrictions on code signing on iOS devices. The method involves a downloaded app phoning home to a remote computer that downloads new unapproved commands onto the device and executes them at will. Such unapproved commands may include stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or repurposing normal iOS app functions for malicious ends. Proof-of-concept Forbes said Miller, a former NSA analyst who is now a researcher with consultancy Accuvant, created a proof-of-concept app called “Instastock" to show the vulnerability. While the app appears to list stock tickers, it also communicates with a server in Miller’s house, taking and executing whatever new commands he issues. Initial suspicions Miller said he became suspicious of a possible flaw in the code signing of Apple’s mobile devices with the release of iOS 4.3: to speed up the iPhone’s browser, Apple allowed JavaScript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. He noted the browser’s speed increase forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory. “Apple runs all these checks to make sure only the browser can use the exception. But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all," he said. At par with Android Forbes noted that, unlike iOS, Google’s Android does not require that apps be approved to be installed on its phones and tablets – an approach that allowed malware on Android devices. But with the security flaw he exposed, Miller said iOS security can be reduced to the level of Android. “Android has been like the Wild West. And this bug basically reduces the security of iOS to that of Android," he said. Kicked out For making the flaw public Miller was kicked out from Apple’s iOS Developer Program, and his apps were removed from the App Store, tech site The Next Web reported. “Although specifics have not been divulged, Apple would be remiss if it did not remove the apps immediately," it said. On the other hand, Miller said he was dismayed, saying Apple’s response “feels heavy handed (and) I miss Steve (Jobs)." “If he is indeed signed up as a researcher, then it seems that it would be more prudent for him to submit the vulnerability to Apple privately," The Next Web said. On the other hand, it said Miller’s work “does raise some questions about Apple’s ability to police submitted applications that stealthily exploit issues in the OS." — TJD, GMA News