Apple’s App store security breached

A man who created a bogus stock price tracker app for the iPhone that was in fact malware has been thrown out of Apple’s developer program. That would seem uncontroversial until you discover the app was designed to highlight a security flaw rather than cause damage or steal data.

Charlie Miller was told his right to create and upload apps had been terminated “effective immediately.”

If Miller’s name seems familiar, that may be because he’s a perennial winner at the PWN2OWN competition, held at the CanSecWest security event in Vancouver each year. Contestants can ask judges to visit a URL using various combinations of hardware, operating system and browser, with the latest publicly available security updates applied. Last year was a particularly bad day for Apple with a MacBook Pro running Safari the first computer to fall (Miller being the successful attacker) and the iPhone the first smartphone hacked.

According to Miller, his latest “attack” came after he spotted a security flaw in iOS. The flaw, unwittingly introduced in a recent iOS update, appeared to allow code to be added to an app after it had already been vetted by Apple and installed on devices.

To prove this was a genuine threat, Miller released an app named InstaStock in September. Using a post-approval update, he says he was in a position where he could have remotely downloaded contacts and pictures from phones running the app.

Miller says he reported the flaw to Apple in mid-October. He went public yesterday and was barred from the program a few hours later. He’s scheduled to unveil more details of the flaw at a security conference next week.

The BBC quotes one possible overenthusiastic analyst who calls the revelation the “the most significant threat yet to Apple’s app store economy.”

Meanwhile The Register has more details on the flaw, making the important point that it merely allows would-be attackers the same opportunities they’ve had on Android devices for some time.

(Image credit: Garret Gee)

Advertisements
Advertisement




3 Responses to Apple’s App store security breached

  1. ====
    The BBC quotes one possible overenthusiastic analyst who calls the revelation the “the most significant threat yet to Apple’s app store economy.”
    ====
    Meh, part of me hopes it does. I love my Macbook, but I hate the app store. Most of the content is total garbage, and the stuff on there that's worthwhile can be found at the developer's site. Security issues, quality control, and frequent bugs.
    They need some serious developer vetting on there.

  2. Why are the people who reveal weaknesses considered villains?
    He could have kept this secret and really made Apple look like fools later on, but instead he revealed it and they ban him? Nice job.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.