So that's what happens when you highlight an iOS security hole

So that's what happens when you highlight an iOS security hole

Summary: Apple lets it through the door.

SHARE:
43

Mac hacker Charlie Miller discovered a security hole in the way Apple digitally signs apps for the App Store and used this information to create a 'legitimate' app of his own that passed all of Apple's checks, but which could download and run unsigned and unauthorized in users iOS devices.

Apple's response ... ban Miller's developer account and remove the app.

The app was interesting in that Miller could choose what payload was sent to the app. He could make it open an YouTube video, make the handset vibrate, and even get direct access to the file system and grab files like the address book database.

Serious stuff.

Miller says that he had to put a real app into the App Store featuring this vulnerability because without it 'people would say Apple wouldn't approve an app that took advantage of this flaw.'

Now, is Apple doing the right thing by banning Miller's developer account and removing the app? Yes, it is. The app, while not containing any malicious code, still deliberately leverages a serious security loophole and can download malicious payloads to the handset. This sort of behavior violates Apple's developer terms and conditions and as such is more than enough reason for Apple to give Miller the shove.

Note: The app had been in the Apple Store since September.

So, what worries me isn't that Apple kicked Miller and his app off the developer program, it's that Apple didn't spot what this app was doing in the first place. Miller had to talk about it before Apple realized what was going on. That's what I find very worrying.

Note: Given his reputation, the fact that Charile Miller had submitted an app should have set alarm bells ringing at Cupertino!

So, what happens when a developer (even if that developer is a well-known hacker) submits an app that leverages a vulnerability to Apple for approval? Apple approves it and hopes it doesn't contain a hidden vulnerability. Apple yanked Miller's app from the App Store because he talked about it. Bad guys don't do that sort of thing, so vulnerable apps could go unnoticed for a very long time.

I thought Apple's iOS ecosystem was supposed to be a walled garden. Seems to me like it has a low fence at best, one that's quite easy to step over, and once you're over, there's little chance that Apple will find out what you've done.

Related:

Topics: Apple, Hardware, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

43 comments
Log in or register to join the discussion
  • Uhm...

    Checking a binary for issues is not a 100% spotless process? News at 11.

    Passive aggressive remark about walled garden promise of 100% security (which by definition should not be trusted)? Priceless ;).
    Panajev
    • Agreed....

      @Panajev : Adrian is just waiting for his check from "you know who" comes in the mail...
      cosuna
      • RE: So that's what happens when you push malware to Apple's App Store

        @cosuna Grow up.
        jgm@...
    • RE: So that's what happens when you push malware to Apple's App Store

      @Panajev
      Then Apple should be requiring source to be uploaded and compiled by them instead of accepting binaries.
      john-whorfin
    • Re: Uhm...

      Furious backpedalling over claims that Apple's platform is so much more secure than Android? News at 11.

      Passive-aggressive misrepresentation that above claims were ever made, and made loudly and repeatedly? Priceless :).
      ldo17
    • RE: So that's what happens when you push malware to Apple's App Store

      So, there was a bank out there. There was a vault in there. There was a crack in the wall leading right into the vault. People walked by ignoring it. Then a guy, with a piece of brain between his ears, stopped and shouted: "hey, there's a hole in the wall, I can see some diamonds in there !"<br>They put him in jail.
      dcdavy
    • It's kinda like shooting the cop chasing the bad guy out of your house ....

      @Panajev
      .... because the cop was trespassing?
      WOW!
      Incredible thinking there!
      :-(
      kd5auq
  • RE: So that's what happens when you push malware to Apple's App Store

    For a company wanting to wear the "Big Boy pants" they sure don't get it. That is totally obvious now.
    Apple has got to be the most Security "Unconscious" that I have ever seen. Apple doesn't get it because they believe kicking someone out, suing someone or just throwing a plain ol' Jobs tantrum will solve it all. Sadly to say guys, that's not working today, or tomorrow either, matter of fact you might as well get your head out of the hole it's in and look around.

    Your products are not as secure as you lead the masses to believe.

    Kicking people out, denying the facts until there out of control. In case you have missed the headlines nearly everyday, your weaknesses are being shown to all and it's not going to go away under a rug. The community is laughing at you, daily, yet you still just don't get it.
    Nate_K
    • RE: So that's what happens when you push malware to Apple's App Store

      @Nate_K Apple probably has dispatched a "security team" to your location as we speak :)
      sackbut
    • Agreed, with one caveat ...

      @Nate_K
      I haven't seen (yet) where Apple is denying this vulnerability. Apple puts out FAR more security updates for the iPhone than I see coming from Android, so they are admitting there are holes, but they aren't discussing them before a fix is ready.

      IF Apple doesn't fix the vulnerability (which I find doubtful) then you can say they are ignoring it. OTOH, I've had my HTC Evo Shift since January. I have received exactly two system updates for the phone (one of which had to be removed as it made the pone nearly unusably slow), and absolutely NO information in either one that any security vulnerabilities were being addressed. Since all systems are inherently vulnerable, I am left wondering what my carrier is doing to protect me when issues are discovered?

      Apple may try to bend the reality, but they do release updates to address issues as the issues are found. That is only one reason why I will eventually return to the iPhone. I have zero confidence in the "security" of Android.
      use_what_works_4_U
      • RE: So that's what happens when you push malware to Apple's App Store

        @macadam
        While what you say may very well be true (don't use a smartphone anymore - haven't used Android in 1+ years), Android doesn't market itself or it's app store as being secure. Apple has a long, inglorious history of touting that it is immune to malware, viruses and the like. Therefore, even with security fixes, banning someone who was exposing a serious security flaw in the only way that would be irrefutable is equivalent to sweeping it under the rug.
        p0figster
      • RE: So that's what happens when you push malware to Apple's App Store

        @macadam<br>Yes, and good luck trying to get various carriers to keep your phone updated. At least the Apple solution goes right to the people who have only themselves to blame, and not the carriers who may be lax in pushing updates - the Android way...which ALREADY has the same problem as this guy showed in the App Store!

        @p0figster - if you believe any of the marketing hype from any company about security, then you also only have yourself to blame.

        I did send a nastygram to Apple asking why they didn't include an invite to be a paid consultant at the same time as they kicked him out of iOS Dev. Let's keep it real...
        sjobs84
  • RE: So that's what happens when you push malware to Apple's App Store

    If he found a vulnerability and think it needed to be fixed, he should have told Apple about it... and maybe kept hounding them about it... but what he did was showing off and trying to get his name in the press. He didn't care about the vulnerability at all, just about getting his name in the headlines again.

    The problem here is not that there is an App with malware in it... that doesn't get in the App Store easily, and Miller didn't do it either. He fixed one that was able to install Malware after the App was already installed...
    doh123
    • RE: So that's what happens when you push malware to Apple's App Store

      @doh123
      Uh, he did tell Apple. 3 weeks ago. And if he hadn't managed to push the app to the App Store then everyone would simply claim that Apple wouldn't approve the app and so it would be a non-issue. Doing what he did he showed TWO security vulnerabilities, not just the one he exploited in the app. Furthermore, getting banned (an act of Apple) got him more publicity than not banning him would have. And the app is the malware - it connects to a sever that executes malicious code on the iPhone - more or less the definition of malware.
      p0figster
    • RE: So that's what happens when you push malware to Apple's App Store

      @doh123
      He did it the way he did because he wanted to make it impossible for Apple to turn around and deny it ever happened. He needed to make a public display to make his point.
      Doctor Demento
  • RE: So that's what happens when you push malware to Apple's App Store

    google says : you found a vulnerability? we'll pay you for helping us find it.

    apple says : you found a vulnerability? we'll make you pay for it.
    Jean-Pierre-
    • RE: So that's what happens when you push malware to Apple's App Store

      @Jean-Pierre- LOL! Nice point!
      mookiemu
      • No it's not

        @mookiemu
        It's nothing but snark. They didn't make Charlie Miller pay for finding a vulnerability. They made him pay for releasing malware. In the same situation I would hope Google would do the same thing. Every year since the iPhone came out Miller has found vulnerabilities - it's his job and he's good at it. The difference is that in the past he did the responsible thing by publishing his findings and Apple plugged every hole he found. This time he didn't publish his findings and released malware. That's unethical plain and simple.
        use_what_works_4_U
    • RE: So that's what happens when you push malware to Apple's App Store

      @Jean-Pierre-
      Apple says - you found a vulnerability, we'll patch it.

      Google says - you found a vulnerability? We may patch it but it's up to your carrier to give you the patch.

      recent articles have been highlighting that Apple is patching more frequently than anyone (both a good and a bad thing) but in my 10 months with an Android phone I have not been made aware of a single security update. I've seen only 2 system updates, one of which made my phone nearly unusable. As a consumer I'm a lot more worried about my Android's security than I ever was my iPhones and I will be going back for that (and many other) reason(s)
      use_what_works_4_U
    • Conversely,

      @Jean-Pierre- <br><br>Google says : you put a malware infected app in our app store? We'll pay you for it.<br><br>Apple says : you put a malware infected app in our app store? We'll ban you for it.
      matthew_maurice