Even the most strict app store seems to have security issues. A hacker has managed to pass the Apple App Store censorship with an Trojan app Esato News
You might have thought that the Apple App Store was a safe place to buy your apps because of the tight control enforced by Apple? It might not have been so safe after all. A hacker has found a way to pass the Apple control with his evil apps. Hacker Charlie Miller made a simple stock ticker app and uploaded it to the Apple App Store. It passed the security guards without any trouble and as mr Miller later proved, this app can be remote controlled by an attacker which has complete control of the iPhone. He can download anything from the phone such as the address book and captured photos.
This incident is now out in the open because the hacker Charlie Miller himself has told the world about it. We can only speculate if someone else with real evil purposes has done something similar before. Apple would not for sure not say anything about that. It further proves that you should only download and install apps from trustworthy sources and this applies for all app platforms.
Strangely enough, Apple has removed the app from the App Store and terminated mr Millers developer account.
The real story here is not so much the app itself (which was only a "proof of concept") but the apparent bug in iOS which allowed it to run the way it did - that shouldn't have been possible even with the AppStore approval, but Miller was exploiting a bug which allowed the app much deeper access than the OS would normally allow any third party app to run external code. Once Apple patch that, it won't matter how many similar apps make it into the store.
Of course Android apps have been actively exploiting similar unpatched weaknesses in that OS for a long time, and nobody polices those at all.
[ This Message was edited by: Boinng on 2011-11-08 14:07 ]
The difference between Android Market and the Apple App Store is that this was totally unexpected for those owning an iOS product. Android owners are hopefully treating the Android Market the same way they do on the Internet. Do not download executable from unknown/unreliable sources.
Joined: Jan 23, 2004 Posts: > 500 From: UK - South Yorkshire PM
Posted: 2011-11-08 21:54
I dont like how Esato reports this guy as a hacker though, he was part of Apples circle of developers.
He simply made an app to show a weakness in Apples software but went about it the wrong way, he should have contacted Apple first with this POC app and not submitted it for approval.
He did deserve to get the boot from Apple though for going about it the wrong way as someone could potentially have used the app to perform something sinister, if they'd known what it could do. I think Apple themselves should have been a little more forgiving though and possibly only kicked him out temporarily.
It does show though that Steve Jobs mighty OS isnt as user friendly as he said it would be. Clearly being a closed OS doesnt mean a better user experience if the users details are being hacked.
[ This Message was edited by: etaab on 2011-11-08 20:57 ]
Hacker - In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge. A white hat hacker breaks security for non-malicious reasons, for instance testing their own security system
Joined: Jan 23, 2004 Posts: > 500 From: UK - South Yorkshire PM
Posted: 2011-11-09 23:53
If it were me that did it, i'd still be labelled differently though as the word hacker makes people think negatively of you. I think he was more of a QA tester.
He'd probably call himself a security specialist or consultant of some kind - it's true that hacker has a pretty negative ring these days. The guy in question is quite well-respected and has done a pretty clever job here by all accounts - he also reported the issue straight to Apple for them to fix, although it has ended up costing him his dev account, since by definition he broke the rules. That seems a shame to be fair - Apple are better off with people like Miller working with them, rather than out on the fringes.
Joined: Jan 03, 2003 Posts: > 500 From: Sydney, London PM
Posted: 2011-11-10 22:41
of course
after 30 years+ as a developer I was saying just the other day in another topic that there will always be bugs in software and that is unavoidable no matter how much you spend on test effort. In fact, it is this fact that keeps me working as an... um... developer
Joined: Jan 03, 2003 Posts: > 500 From: Sydney, London PM
Posted: 2011-11-10 23:00
not specifically, there are specialists for that.
Its assumed that any o/s I work with in providing user apps also provides neccessary security.
If I do get involved in apps that cross firewall boundaries then of course such apps go through more stringent testing via people who can better test such apps. this is a commercial reality in any business but the nature of software development is that not every test case can be conceived and/or tested
Joined: Jan 03, 2003 Posts: > 500 From: Sydney, London PM
Posted: 2011-11-10 23:08
thats a very long story, indeed never ending.
I myself have developed software for around 35 years since the first Tandy TRS-80 and Commodore PET.
I hold ISEB qualification at advanced testing level and PRINCE2 project management and yet I still get tripped over by software that has bugs... as a realist this shows me both the limitations of qualifications and also real life software development life cycle experience.
if you ever have kids you will also realise that no matter how many books you read or how many people who have had kids that you talk to, the experience you have is never the same and you still have lots to learn
Posted: 2011-11-08 14:24
