Major Security Hole in iOS Puts Users at Risk

Lately, many blogs across the Internet have been abuzz with iOS security issues. First there was the iPad 2 Smart Cover fault in iOS 5, then there was the jailbreak bug that an iPhone Dev Team member found. Today, there’s something far, far more destructive. A renowned Mac hacker named Charlie Miller has discovered that within Apple’s rigorous app screening process, there is a major security bug that allows detrimental apps to disguise themselves as honorable and innocent-looking ones. Miller intends to present the method of how this exploit at the SysCan conference in Taiwan next week. More important info after the break.

At the SysCan conference in Taiwan next week, Miller plans to present a method that exploits a flaw in Apple’s restrictions on code signing on iOS devices, the security measure that allows only Apple-approved commands to run in an iPhone or iPad’s memory. Using this method—and Miller has already planted a sleeper app in Apple’s App Store to demonstrate the trick—an app can phone home to a remote computer that downloads unapproved commands onto the device and executes them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.

Not long after Forbes’ post, Miller posted a YouTube video detailing how this code signing flaw works. He uses his app, Instastock, to demonstrate his methods. First, Miller downloads the normal app and shows how it should usually work. Then he downloads it again, but this time he adds some code for it to download and run on the first launch. The code, of course, sends him to the YouTube app for a Rickroll adventure — but things don’t end here. Next, he adds some malicious code to give him access to do whatever he wants on the device. He displays directory listings, process listings, vibrates the phone, downloads the address book, and does other things that apps should never have access to do.

Following the publishing of Miller’s video, Apple abruptly terminated his developer account and removed all his apps from the App Store. Forbes also notes that Apple put users’ security at risk when improving Safari’s browsing speed in iOS 5.

Miller became suspicious of a possible flaw in the code signing of Apple’s mobile devices with the release of iOS 4.3 early last year. To increase the speed of the phone’s browser, Miller noticed, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, he realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible. (Apple uses other security restrictions to prevent untrusted websites from using that exception to take control of the phone.)

Once again, Miller will give full details at the SysCan conference in Taiwan. It’s almost definitely that there will be Apple engineers there waiting to know how it works just so that they can resolve the matter, so don’t worry about your security just yet since only Miller knows the exploit — at least as far as we know.

This kind of risk makes people wonder if Apple’s devices are beginning to become more vulnerable. Hopefully they will patch this and all other major threats to users very soon. Expect yet another swift release of an iOS 5.0.1 beta.

[Forbes via iDownloadBlog]

Post a response / What do you think?
This entry was posted in News. Originally submitted by Yakovlev. 47 comments