X

iPhone security hole lets apps run unsigned code

A new exploit targets Apple's Safari browser, this time to bring unsigned code to iOS applications--even if it's passed App Store review.

Josh Lowensohn Former Senior Writer
Josh Lowensohn joined CNET in 2006 and now covers Apple. Before that, Josh wrote about everything from new Web start-ups, to remote-controlled robots that watch your house. Prior to joining CNET, Josh covered breaking video game news, as well as reviewing game software. His current console favorite is the Xbox 360.
Josh Lowensohn
3 min read
Safari Mobile
Apple

A newly-discovered security hole in Apple's iOS opens up the door for third-party applications to add unapproved features, even after they've gone through Apple's App Store approval process.

Forbes today reports on new findings by Accuvant security researcher Charlie Miller, who next week is taking the wraps off a new iOS exploit he found that lets applications download unsigned code that's able to change their functionality after it's installed.

The exploit makes use of an exception that was added to Apple's Safari mobile browser in iOS 4.3 last year, which gives JavaScript special access to the iOS device's memory. As Miller explains, this access can be utilized by apps to run code that wasn't signed by Apple, augmenting what an app is able to do.

That includes a number of things available through Apple's SDK, like accessing user contacts and photos, along with activating hardware features like the vibration motor and speakers. The fear is, that in the wrong hands, such features could be exploited through a third party.

In order to test it, Miller planted a testing application on the App Store called Instastock, which was approved on the App Store, though pulled by Apple later today following Miller's findings being published. The software checked in with Miller's private server the first time it was launched, then downloaded additional unsigned code payloads, which would then be run.

Miller demonstrates the whole process in a video provided to Forbes, which is embedded below. It shows the app functioning normally on first launch, then playing a YouTube video instead after it's injected with new code from Miller's server.

Apple did not respond to a request for comment on the security hole.

Worth noting is that any app that exploits this loophole would be rejected from the App Store, as per Apple's App Store Guidelines. Such behavior violates a handful of rules in the "functionality" section of the document, including (but not limited to):

2.3 Apps that do not perform as advertised by the developer will be rejected
2.4 Apps that include undocumented or hidden features inconsistent with the description of the app will be rejected
2.7 Apps that download code in any way or form will be rejected

If such behaviors are discovered by Apple, the company will reject the app and "expel" the offender from the company's developer program. In a tweet this afternoon, Miller noted that he had been kicked out of Apple's iOS developer program. (read the full story on that here)

Mobile Safari has been the gateway to previous hacks, most notably tools that would enable users to jailbreak their device, giving them read/write privileges, and the capability to install third-party application installers. In the past, targets within Safari have been things like the PDF and image viewers. Apple responded by issuing fixes for the exploits in software updates.

Miller told CNET he alerted Apple to the exploit three weeks ago, but could not comment on whether the vulnerability is patched in iOS 5.0.1, which is expected to be delivered to users by the end of the month. That software update fixes a battery draining bug that's affected some users and makes unnamed "security improvements."

Here's a video of Miller demoing the exploit in its working form: