iPhone security flaw shows potential for App Store malware

It turns out the Apple store isn't all that secure.

Jared Newman (PC World (US online))
09 November, 2011 08:48
Comments

The iPhone App Store has a reputation for rock-solid security, but that rep took a hit this week when an app that could run unauthorized code and control phones remotely was released to the public.

Luckily, this bad app was released for research purposes--not malicious ones.

Security researcher and famous Mac hacker Charlie Miller demonstrated an iPhone security flaw using a dummy stock ticker app that Apple unwittingly accepted into the App Store. The app was able to call a remote computer, which could then download unsigned code to the iPhone, harvest sensitive data, and trigger actions such as vibrations and ringtones.

Apple has already removed the program from the App Store, and has terminated Miller's developer license, Forbes reports.

Miller plans to describe the flaw in detail at the SysCan conference in Taiwan next week, but the gist is that mobile Safari's "Nitro" JavaScript engine, released with iOS 4.3, requires the privilege of running unapproved code in a region of the iPhone's memory. Miller's exploit extends this privilege to other apps, which are usually barred from running unapproved code in the same way as Safari for security reasons.

iPhone users needn't panic; the offending app is already gone, and Miller expects Apple to squash the security bug to prevent legitimate attacks. Still, this exploit proves that the App Store's strict security measures aren't impenetrable. Security researchers have been saying this for years, but Miller has actually demonstrated it in the real world.

Follow Jared on Facebook, Twitter or Google+ for even more tech news and commentary.

Bookmark this page
Share this article
- facebook
- slashdot
- digg
- Reddit
- stumbleupon
- linkedin
- twitter
Got more on this story? Email Computerworld
Follow Computerworld on twitter

More about: Apple, Facebook, Google, Newman

References show all

Comments

Post new comment

Share
Share this article
- google+
- facebook facebook
- slashdot slashdot
- digg digg
- Reddit Reddit
- stumbleupon stumbleupon
- linkedin linkedin
- twitter twitter
print
email
Bookmark

Related Coverage

Related Whitepapers

Case Study: NZ Bus Develops Applications 60% Faster, Improves Database Performance by up to 35%

Key Benefits: Developed applications 60% faster, Created development and test environments in minutes compared to days and weeks previously, Reduced server costs by 30% with server virtualisation, Saved NZ$40,000 in database administrator training costs, Provided high availability features that keep the database and core applications up and running in the event of a server failure, Introduced compression capabilities that improved database performance by 30% to 35%. Read on.

Featured Download

Seamonkey

Seamonkey includes an Internet browser, email and newsgroup client with an included web feed reader, HTML editor, IRC chat and web development tools. SeaMonkey will ...

Zones

Most Popular Whitepapers

Process-Driven Master Data Management for Dummies

We wrote this book to introduce you to the subject of processdriven MDM. It’s a big topic, one that far outstrips the ability of a brief book to cover. However, our hope is that by reading this book you will gain a fundamental understanding of processdriven MDM, how it works, and what it takes to make it a success in your organisation.

Popular tags: Business Management, Security, Data Centre, Storage, Master Data Management

Latest Jobs

CCSystem Engineer - Lync and Exchange - CONTRACTSWA
FTSenior Network Field Engineer - Cisco R&S / Wireless SolutionsNSW
FTSAP Basis ConsultantNSW
CCAvaya Engineer - ERS 8600 4.1NSW
FTSAP Basis ConsultantACT
CCOBIEE ConsultantWA
FTSenior Network Engineer - Cisco / Nexus / UCS / - Routing / Switching / WirelessNSW
FTProduct Manager Strategist - Enterprise ApplicationsNSW
CCSystem Engineer - Exchange - CONTRACTSWA
CCSAP PM ConsultantNSW
FTSenior Network Field Engineer - Cisco R&S / Wireless SolutionsNSW
CCSAP FICO ConsultantNT
FTIT Account Manager - System Integrator - Career Progression - Start ImmediatelyNSW
FTSenior Citrix EngineerNSW
FTTechnical Services Engineer - ShoreTel/MitelVIC
FTChange Management ProfessionalsNSW
FTQM Trainer and ConsultantNSW
FTSenior Citrix EngineerNSW
FTiPhone App DeveloperNSW
FTiPhone App DeveloperNSW
FTIT Service Desk EngineerNSW
FTiPhone App DeveloperNSW
FTiPhone Developer DeveloperNSW
CCPC Relocation Technicians - Multiple Roles availableSA
FTIT Service Desk EngineerNSW

Market Place

iPhone security flaw shows potential for App Store malware

Comments

Post new comment

A comparison of Telstra's 4G phones

Coalition NBN better or worse?

Bredolab botnet author sentenced to 4 years in prison in Armenia

Alternatives to Raspberry Pi you can get right now

NBN ISS could pose capacity constraints

Which tablet should I buy? iPad 2 vs Sony Tablet S

NBN service plans won't cost consumers more: Conroy

Microsoft at a loss over Event Viewer scam

Stallman: If you want freedom don't follow Linus Torvalds

CeBIT 2012: Will NBN speed up freight delivery times?

Coalition NBN better or worse?

Case Study: NZ Bus Develops Applications 60% Faster, Improves Database Performance by up to 35%

Spear Phishing Attacks - Why they are successful and how to stop them

Top 10 Mistakes in Data Centre Operations: Operating Efficient and Effective Data Centers

Prepare Your Enterprise for the Mobile Revolution: Boost the Bottom Line with Mobile UC

Seamonkey

Avaya Air Cover Zone

Application Lifecycle Management

HP Converged Storage Zone

HP Business Efficiency - Money Payback Guarantee Resource Centre

The Australian Cloud

Process-Driven Master Data Management for Dummies

Business Intelligence Best Practices for Dashboard Design

Learning To Compete: IT’s Next Transformation

Seven Steps to Effective Data Governance

Guidance for Calculation of Efficiency (PUE) in Data Centers

Computerworld newsletter

Don't have an account?

iPhone security flaw shows potential for App Store malware

Comments

Post new comment

Computerworld newsletter