Security researcher Charlie Miller has discovered a flaw in iOS 4.3 which allows an attacker to run unsigned code on an iPhone or iPad, breaking the vetting system Apple uses to keep malware off the platform.
Miller released a demo on YouTube showing that the bug allowed him to use a rigged app to steal contact lists, view directory listings and processes on the iOS device, and even make the phone vibrate. "Code signing's important," Miller points out in the video, "because that's the way Apple protects you from malware." While he never revealed exactly what flaw he found, according to Kaspersky Lab's Threatpost blog, Miller said his app was "allocating memory in this weird way".
To get past Apple's signing processes, Miller wrote a legitimate looking stock market ticker app "InstaStock" that was published on September 14 — a week prior to Miller posting his demo on YouTube and a month prior to him disclosing the flaw to Apple.
Despite getting around the App Store check, Miller was rejected twice before — the first time because Apple believed a feature in a previous app had no real value to users and the second time because Miller used an illegal API.
The first thing the app does after a user installs it is check in with his demo attack server to see if there's any code to download.
In the first demonstration the app had nothing to download from the remote server, which would have been what the people who vet apps for the App Store would have seen, said Miller.
Later he demonstrates the app’s installation after placing a nastier file on his attack server containing code he was able to run on the iOS device "that Apple definitely wouldn't have approved if they had seen it".
That code would give the attack system a remote "shell" which would in Miller's words "allow the attacker to do whatever they want."
"It shows malware can run on the iPhone with this flaw and Apple's going to fix this flaw and we'll be back in the place where we'll be protected because of the App Store," said Miller.
According to Threatpost, Miller alerted Apple to the bug on October 14. The flaw affects any iOS device running 4.3 or later.
The exploit was less serious than remote code execution bugs, such as the JailbreakMe.com bugs because a user would first have to install it, Milled pointed out.
Miller, who has found several important flaws in iOS and Mac OS X, this March found a memory flaw in iOS 4.2.1 that prompted Apple to include address space layout randomisation (ASLR) protection in iOS 4.3.
He will discuss the flaw at the SyScan conference in Taiwan later this month.