Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

iPhone security flaw shows potential for App Store malware

It turns out the Apple store isn't all that secure.

The iPhone App Store has a reputation for rock-solid security, but that rep took a hit this week when an app that could run unauthorized code and control phones remotely was released to the public.

Luckily, this bad app was released for research purposes--not malicious ones.

Security researcher and famous Mac hacker Charlie Miller demonstrated an iPhone security flaw using a dummy stock ticker app that Apple unwittingly accepted into the App Store. The app was able to call a remote computer, which could then download unsigned code to the iPhone, harvest sensitive data, and trigger actions such as vibrations and ringtones.

Apple has already removed the program from the App Store, and has terminated Miller's developer license, Forbes reports.

Miller plans to describe the flaw in detail at the SysCan conference in Taiwan next week, but the gist is that mobile Safari's "Nitro" JavaScript engine, released with iOS 4.3, requires the privilege of running unapproved code in a region of the iPhone's memory. Miller's exploit extends this privilege to other apps, which are usually barred from running unapproved code in the same way as Safari for security reasons.

iPhone users needn't panic; the offending app is already gone, and Miller expects Apple to squash the security bug to prevent legitimate attacks. Still, this exploit proves that the App Store's strict security measures aren't impenetrable. Security researchers have been saying this for years, but Miller has actually demonstrated it in the real world.

Follow Jared on Facebook, Twitter or Google+ for even more tech news and commentary.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Apple, Facebook, Google, Newman
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Apple, apple iphone, security
Latest Blog Posts
Whitepapers
  • IDC Insight: V-Ray Gives Symantec NetBackup a Competitive Advantage Today and into the Future
    Over a decade ago, Veritas software announced NetBackup FlashBackup to address the millions of small files problem, which had been and often remains the nemesis to fast and efficient backup of large file servers. Today, the FlashBackup technology is used to provide a logical understanding of what is stored with a VMDK- or VHD-image-level backup, without the necessity to install an agent inside each virtual machine. Read more.
    Learn more »
  • Oracle Exadata Database Machine Warehouse Architectural Comparisons
    Exadata is Oracle’s fastest growing new product. Much of the growth of Exadata has come at the expense of specialized data warehouse appliance vendors. These vendors have published competitive comparisons to Exadata, claiming: Architecture is what really matters for performance, Purpose-built data warehousing architectures perform best, They see architecture as an end in itself rather than as a means to an end. Read on.
    Learn more »
  • IDC Forecast: Worldwide Purpose - Built Backup Appliance 2011 – 2015, Forecast Update: Explosive Growth in 2011
    This IDC Forecast Update provides share positions for revenue and raw capacity for nine named PBBA vendors for the first half of 2011. In addition, this study provides the market size and a five-year forecast for the worldwide PBBA market as part of IDC's Storage Solutions coverage. The five-year forecast includes total factory revenue and raw capacity in terabytes through 2012. The worldwide PBBA market covers both open system-and mainframe-attached products.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.