There is a bug in Apple iOS that enables an attacker to run unsigned code on a user’s device, circumventing the company’s checks on apps in the iTunes App Store. The bug, which researcher Charlie Miller identified, can be exploited by an app to take actions on the device without the user’s knowledge.
Miller has written a benign demo app that has been in the iTunes App Store since Sept. 14. The app, Instastock, ostensibly just displays real-time stock price information, but Miller added functionality that enables the app to communicate with a server he controls. He can issue commands to the app, and have it perform any number of actions, including accessing the user’s contact list. The bug that Miller found enables him to circumvent the restrictions that Apple has that prevents any unsigned code from running on the iPhone.
Miller informed Apple of the bug on Oct. 14 and he expects the company to issue a fix for it in the near future, considering the seriousness of the vulnerability.The bug works on any iOS device running version 4.3 or later, he said, including iPads.
“They don’t like this stuff where they lose control of the platform. It’s serious stuff for them,” said Miller, a principal research consultant at Accuvant. Miller will discuss the vulnerability at the SyScan conference in Taiwan next month.
The iPhone platform is built with the intention that it will only run signed apps that users have installed from the official App Store. Users have been able to get around this restriction at various times through the use of vulnerabilities that have let them jailbreak their phones and load third-party software. Apple usually is quick to fix those flaws, however. Miller’s bug isn’t a jailbreak-style flaw, but is just as serious in its own way, as it shows that right now, users can’t necessarily trust that every app they download from the App Store is completely legitimate.
When a user first installs the Instastock app, it immediately phones home to the server that Miller has set up. Typically, the app won’t find any updates there. But in a video that Miller produced to demonstrate the exploit, he placed a file on the server and when the app on his demo iPhone contacted it, his code exploited the bug on the iPhone and gave him a remote shell. He was then able to issue remote commands to the iPhone. Other users have downloaded the app, as well, but there is no code for their apps to download when they contact Miller’s server, so they haven’t been exploited by the demo.
“In some sense, it’s less serious than a remote code-execution bug, because you have to download an app to exploit it,” Miller said. “But if had a second bug like the Jailbreakme.com bugs, then I could jailbreak the phones, too.”
Miller said that his first attempt to get his demo app into the App Store failed, but not because Apple’s review caught the bug he was using. Instead, it was because the app, which enabled a user to zoom in on pictures of David Hasselhoff, didn’t have any real value ot users. So he then designed the real-time stock ticker, which also was rejected initially.
“They told me I had used an illegal API, and I thought they had caught what I was doing, but they didn’t,” he said.
He reworked the app a second time and it made it into the App Store within a few days. A big part of Apple’s security model for its iOS devices its review process for apps. It goes over every app that’s submitted, but how that review works is a mystery. Miller said that given the volume of apps these days, there’s really no way for Apple to do the review manually. Instead, it’s likely being done in a simulated environment that is designed to test certain functionality. The test didn’t catch Miller’s exploit, however.
“They could’ve caught it statically I guess if they’d seen that I was allocating memory in this weird way,” he said.