iPhone security hole lets apps run unsigned code
A new exploit targets Apple's Safari browser, this time to bring unsigned code to iOS applications--even if it's passed App Store review.
A newly-discovered security hole in Apple's iOS opens up the door for third-party applications to add unapproved features, even after they've gone through Apple's App Store approval process.
Forbes today reports on new findings by Accuvant security researcher Charlie Miller, who next week is taking the wraps off a new iOS exploit he found that lets applications download unsigned code that's able to change their functionality after it's installed.
That includes a number of things available through Apple's SDK, like accessing user contacts and photos, along with activating hardware features like the vibration motor and speakers. The fear is, that in the wrong hands, such features could be exploited through a third party.
In order to test it, Miller planted a testing application on the App Store called Instastock, which was approved on the App Store, though pulled by Apple later today following Miller's findings being published. The software checked in with Miller's private server the first time it was launched, then downloaded additional unsigned code payloads, which would then be run.
Miller demonstrates the whole process in a video provided to Forbes, which is embedded below. It shows the app functioning normally on first launch, then playing a YouTube video instead after it's injected with new code from Miller's server.
Apple did not respond to a request for comment on the security hole.
Worth noting is that any app that exploits this loophole would be rejected from the App Store, as per Apple's. Such behavior violates a handful of rules in the "functionality" section of the document, including (but not limited to):
2.3 Apps that do not perform as advertised by the developer will be rejected
2.4 Apps that include undocumented or hidden features inconsistent with the description of the app will be rejected
2.7 Apps that download code in any way or form will be rejected
If such behaviors are discovered by Apple, the company will reject the app and "expel" the offender from the company's developer program. In a tweet this afternoon, Miller noted that he had been kicked out of Apple's iOS developer program. ( )
Mobile Safari has been the gateway to previous hacks, most notably tools that would enable users to jailbreak their device, giving them read/write privileges, and the capability to install third-party application installers. In the past, targets within Safari have been thingsand . Apple responded by issuing fixes for the exploits in software updates.
Miller told CNET he alerted Apple to the exploit three weeks ago, but could not comment on whether the vulnerability is patched in iOS 5.0.1, which is expected to be delivered to users. That software update fixes a battery draining bug that's affected some users and makes unnamed "security improvements."
Here's a video of Miller demoing the exploit in its working form:
Updated at 4:26 p.m. PT to note that Miller's app was pulled from the App Store, and that his access to Apple's developer tools was revoked.