Major iOS Security Flaw Lets Developers Control Your Apps
A major security flaw in iOS, allowing rogue developers to take control of applications remotely, has been discovered.
The flaw - discovered by a security researcher - means that developers can create applications that are approved by Apple, but can then be used remotely to control the iOS device, and even steal users' data.
Researcher Charlie Miller was reported by Forbes: "Miller became suspicious of a possible flaw in the code signing of Apple's mobile devices with the release of iOS 4.3 last year.
"The researcher soon dug up a bug that allowed him to expand that code-running exception to any application he'd like."
Once discovering the bug, Miller went a step further and created his own application that contained code that could be taken advantage of, should it ever be downloaded by a customer. The app was approved by Apple's notoriously strict AppStore and then Miller was able to control the app remotely.
Forbes reports: "Using his method - and Mill has already planted a sleeper app in Apple's AppStore to demonstrate the trick - an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user's photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends."
Miller has since had his developer account revoked, as Apple claim he has breached the developer agreement. Apple said: "This letter serves as notice of termination of the iOS Developer Program License Agreement...between you and Apple."
Now that the flaw has been made public, we can expect Apple to fix it with a software update soon, and while Miller hasn't explained exactly how to inject the malicious code, it does mean that less honest developers could use the flaw for personal gain.
© Copyright IBTimes 2024. All rights reserved.