iPhone unsecureThere is a bug in Apple iOS that enables an attacker to run unsigned code on a user’s device, circumventing the company’s checks on apps in the iTunes App Store. The bug, which researcher Charlie Miller identified, can be exploited by an app to take actions on the device without the user’s knowledge.

Miller has written a benign demo app that has been in the iTunes App Store since Sept. 14. The app, Instastock, ostensibly just displays real-time stock price information, but Miller added functionality that enables the app to communicate with a server he controls. He can issue commands to the app, and have it perform any number of actions, including accessing the user’s contact list. The bug that Miller found enables him to circumvent the restrictions that Apple has that prevents any unsigned code from running on the iPhone.

Miller informed Apple of the bug on Oct. 14 and he expects the company to issue a fix for it in the near future, considering the seriousness of the vulnerability.The bug works on any iOS device running version 4.3 or later, he said, including iPads.

“They don’t like this stuff where they lose control of the platform. It’s serious stuff for them,” said Miller, a principal research consultant at Accuvant. Miller will discuss the vulnerability at the SyScan conference in Taiwan next month.

The iPhone platform is built with the intention that it will only run signed apps that users have installed from the official App Store. Users have been able to get around this restriction at various times through the use of vulnerabilities that have let them jailbreak their phones and load third-party software. Apple usually is quick to fix those flaws, however. Miller’s bug isn’t a jailbreak-style flaw, but is just as serious in its own way, as it shows that right now, users can’t necessarily trust that every app they download from the App Store is completely legitimate.

When a user first installs the Instastock app, it immediately phones home to the server that Miller has set up. Typically, the app won’t find any updates there. But in a video that Miller produced to demonstrate the exploit, he placed a file on the server and when the app on his demo iPhone contacted it, his code exploited the bug on the iPhone and gave him a remote shell. He was then able to issue remote commands to the iPhone. Other users have downloaded the app, as well, but there is no code for their apps to download when they contact Miller’s server, so they haven’t been exploited by the demo.

“In some sense, it’s less serious than a remote code-execution bug, because you have to download an app to exploit it,” Miller said. “But if had a second bug like the Jailbreakme.com bugs, then I could jailbreak the phones, too.”

Miller said that his first attempt to get his demo app into the App Store failed, but not because Apple’s review caught the bug he was using. Instead, it was because the app, which enabled a user to zoom in on pictures of David Hasselhoff, didn’t have any real value ot users. So he then designed the real-time stock ticker, which also was rejected initially.

“They told me I had used an illegal API, and I thought they had caught what I was doing, but they didn’t,” he said.

He reworked the app a second time and it made it into the App Store within a few days. A big part of Apple’s security model for its iOS devices its review process for apps. It goes over every app that’s submitted, but how that review works is a mystery. Miller said that given the volume of apps these days, there’s really no way for Apple to do the review manually. Instead, it’s likely being done in a simulated environment that is designed to test certain functionality. The test didn’t catch Miller’s exploit, however.

“They could’ve caught it statically I guess if they’d seen that I was allocating memory in this weird way,” he said.

Categories: Hacks, Mobile Security

Comments (4)

  1. drstrangep0rk

    Interesting, however the other part of their security model is code signing which means he digitally signed his APP. It will not be long before it is pulled, so now the question is was he in voliation of the TOS and what will Apple do. 

    So with NSURLRequest and NSXMLParser, download some Javascript which executes at a lower level than in the past you can execute low level commands. Hell why not meterpreter? Question are you  out of APPLE’s Application Sandbox, what can you do? What is the threat level? Stealing of data remotely or is the data encrypted? Interesting jailbreak, very clever…

     Details at his presentation should be interesting, namely what can you do with the access and threat? 

    Of course, he may have some Apple issues to deal with before that… 

    The Jail Break community will figure it out as well, long before that I suspect. 


  2. drstrangep0rk

    Oh, and does it get around Hardware encryption and dataprotection if a long pass code is used. 


  3. drstrangep0rk

    Is he able to avoid Hardware encryption built in or does his APP only allow the exploit to have ACCESS TO THE STANDARD DATAMANGEMENT FRAMEWORKS in IOS 5?

    May be an interesting question. The code he gets on the phone has access to exactly what every app has access to:


    URL based syntax for iTunes, Mail and YOUTUBE (See his first example in video.)


    His APPS specific XML Files

    Calendar and Safari client side storages.


    Curious about the response.


Comments are closed.