Evil app passed Apple App Store security control
8 November 2011 by Olav Hellesø-Knutsen
Even the most strict app store seems to have security issues. A hacker has managed to pass the Apple App Store censorship with an Trojan app
You might have thought that the Apple App Store was a safe place to buy your apps because of the tight control enforced by Apple? It might not have been so safe after all. A hacker has found a way to pass the Apple control with his evil apps. Hacker Charlie Miller made a simple stock ticker app and uploaded it to the Apple App Store. It passed the security guards without any trouble and as mr Miller later proved, this app can be remote controlled by an attacker which has complete control of the iPhone. He can download anything from the phone such as the address book and captured photos.
This incident is now out in the open because the hacker Charlie Miller himself has told the world about it. We can only speculate if someone else with real evil purposes has done something similar before. Apple would not for sure not say anything about that. It further proves that you should only download and install apps from trustworthy sources and this applies for all app platforms.
Strangely enough, Apple has removed the app from the App Store and terminated mr Millers developer account.
Alternatively post this in the Esato forum
Please sign in to your Esato account to leave a comment regarding this article
The real story here is not so much the app itself (which was only a "proof of concept") but the apparent bug in iOS which allowed it to run the way it did - that shouldn't have been possible even with the AppStore approval, but Miller was exploiting a bug which allowed the app much deeper access than the OS would normally allow any third party app to run external code. Once Apple patch that, it won't matter how many similar apps make it into the store.
Of course Android apps have been actively exploiting similar unpatched weaknesses in that OS for a long time, and nobody polices those at all.
[ This Message was edited by: Boinng on 2011-11-08 14:07 ]
The difference between Android Market and the Apple App Store is that this was totally unexpected for those owning an iOS product. Android owners are hopefully treating the Android Market the same way they do on the Internet. Do not download executable from unknown/unreliable sources.
It seems that Apple has more strict security than Android
I dont like how Esato reports this guy as a hacker though, he was part of Apples circle of developers.
He simply made an app to show a weakness in Apples software but went about it the wrong way, he should have contacted Apple first with this POC app and not submitted it for approval.
He did deserve to get the boot from Apple though for going about it the wrong way as someone could potentially have used the app to perform something sinister, if they'd known what it could do. I think Apple themselves should have been a little more forgiving though and possibly only kicked him out temporarily.
It does show though that Steve Jobs mighty OS isnt as user friendly as he said it would be. Clearly being a closed OS doesnt mean a better user experience if the users details are being hacked.
[ This Message was edited by: etaab on 2011-11-08 20:57 ]
Hacker - In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge. A white hat hacker breaks security for non-malicious reasons, for instance testing their own security system
If it were me that did it, i'd still be labelled differently though as the word hacker makes people think negatively of you. I think he was more of a QA tester.
He'd probably call himself a security specialist or consultant of some kind - it's true that hacker has a pretty negative ring these days. The guy in question is quite well-respected and has done a pretty clever job here by all accounts - he also reported the issue straight to Apple for them to fix, although it has ended up costing him his dev account, since by definition he broke the rules. That seems a shame to be fair - Apple are better off with people like Miller working with them, rather than out on the fringes.
Fixed! Back to the world of complete and utter security we go... http://www.theregister.co.uk/[....]/10/apple_iphone_security_bug/
Until next time
after 30 years+ as a developer I was saying just the other day in another topic that there will always be bugs in software and that is unavoidable no matter how much you spend on test effort. In fact, it is this fact that keeps me working as an... um... developer
now there is real irony
Do you work on security within your developer skills??
not specifically, there are specialists for that.
Its assumed that any o/s I work with in providing user apps also provides neccessary security.
If I do get involved in apps that cross firewall boundaries then of course such apps go through more stringent testing via people who can better test such apps. this is a commercial reality in any business but the nature of software development is that not every test case can be conceived and/or tested
Be interesting to know how the developing is done. Never known anything about it.
thats a very long story, indeed never ending.
I myself have developed software for around 35 years since the first Tandy TRS-80 and Commodore PET.
I hold ISEB qualification at advanced testing level and PRINCE2 project management and yet I still get tripped over by software that has bugs... as a realist this shows me both the limitations of qualifications and also real life software development life cycle experience.
if you ever have kids you will also realise that no matter how many books you read or how many people who have had kids that you talk to, the experience you have is never the same and you still have lots to learn
say no more...
Wow Tandy made me think of Tandy stores then!! Not going to have kids am 40 in January but I know what you mean.
In all fairness, this is (or was) the first time Apple's codesigning security on the iPhone has been breached since 2007 (or at least 2008 when the AppStore launched) so it's not exactly a fast-paced game of cat and mouse game we're playing here!
First time? I guess you are right, but we do not know that. Just like your local bank, Apple would not go public about any security breaches they might have had.
Perhaps not, but any user that encountered them and/or suffered loss surely would. There simply haven't been any such cases on the iOS platform, it hasn't happened, as much as any number of security consultants and antivirus vendors would love to claim otherwise!
[ This Message was edited by: Boinng on 2011-11-10 22:37 ]
Programming anything is a complicated business which sadly is lost on most of us here in the UK, something highlighted by a high ranking member of Google a few weeks ago when he mentioned how we're so limiting our potential by not teaching computer sciences at school level by default.
But then, because of that fact we dont end up with 15 year olds breaking into the FBI or programming malicious software to destroy rival gaming servers. I found that out the hard way years ago when playing a pc game online, i annoyed some rivals who didnt like the fact i was better than them and so hacked the entire gaming network.
So being in the know at a developer level like this guy can be used for good or evil. Again i think Apple could have been a bit more grateful rather than complete disgust.
I was programming in the early pc days. I also worked part time while still at school for an accountant doing trial balance software as well as software specific to one of his business clients who was physically impared. I've developed on most platforms since Z80, and in almost every language from assembler through cobol, fortran, pascal, bliss, C varients, blah blah blah...
I don't wish to put my entire CV here but its sure that my experience since the days even before PC's gives me some perspective on the industry that I have followed and been a part of for 85% of my life.
I don't admit to any hacking as such but I do remember having a huge laugh at the likes of War Games when it came out as I had already been using accoustic modems prior to that with software written in Basic to randomly dial phone numbers (but then who hadn't!)
I do think these days more software people like me are more interested in showing gaps in security and being taken on by the companies we expose than in malicous activities that these days are more likely to get us in prison, or extradited to countries that wish to imprison us.
How is the iOS programming going? Can we buy an app made by you from the App Store anytime soon or are you waiting for the perfect app idea?
I've done a few now, but none that I would openly advertise. if not because they are not yet that good, but more that it would also probably be against forum rules regarding promoting open interest, but to be honest I've still alot to learn!
Objective C is moving at a fast pace in the iOS world and I can't dedicate the time it deserves
Masseur can make the Esato app for iOS and Android
its already been decided that tapatalk would probably be the most easily adapted protocol if this was deemed neccesssary.