iPhone Dev Sneaks Malware Into Apple App Store, Feels Swift Wrath of Cupertino
An iOS security researcher who submitted a tainted iPhone application meant to expose a weakness in Apple's App Store security process has been suspended from Apple's developer program. And rightly sohe violated clear terms of service. But what does that say about the security of all those random apps on your iPhone, iPad and iPod?
By Al Sacco
Managing Editor, CIO
Charlie Miller, a well-known iOS security researcher has made it his job—or at least a hobby– to identify security flaws in Apple software. And he recently found a good one…or a bad one depending on your standpoint on iPhone/iOS security.
Miller’s latest finding exploits a flaw in Apple’s iOS software that enables an App-Store-approved application, a seemingly harmless stock-monitoring app he built called “InstaStock,” to download and install potentially malicious code from third-party sources onto users’ iOS devices. That code could do things like trigger random notifications or processes and steal or modify sensitive data stored on those devices. (Check out the video above for details on how this exploits works.)
And, after submitting the InstaStock app and having it approved back in September, to demonstrate that such an app could fly under Apple’s radar and make it onto everyday users’ gadgets, Apple yesterday went ahead and booted Miller from its developer program for at least a year.
Miller made the news of his suspension public yesterday via Twitter:
“OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!” the researcher wrote, err, “tweeted.”
I completely understand why Apple decided to remove Mr. Miller from its iOS developer program; he clearly violated developer terms of service that he previously agreed to. (Specifically, Miller violated sections 3.2 and 6.1 of Apple’s iOS Developer Program License Agreement, according to CNet.) And Miller was undoubtedly both thumbing his nose at Apple a bit and drawing the Internet spotlight—and media hype–to himself and his work.
But I also see why Miller would submit such an application to the App Store while knowingly violating some terms of service. In his own words, again via Twitter:
“For the record, without a real app in the AppStore [sic], people would say Apple wouldn’t approve an app that took advantage of this flaw.”
Miller also claims to have notified Apple three weeks ago about the vulnerability that enabled such an application to sneak into the App Store. If that’s true, then I’m not sure Miller has done anything really wrong, expect perhaps waiting longer than he should have to contact Apple. In fact, he seems to have identified what could have become a serious security issue for Apple at some point down the line.
Bottom line: Security issues will continue to be identified in mobile devices and platforms. And Apple’s suspension of Miller won’t keep him from digging into iOS software in hopes of finding more potential programs—in fact, he may now be more motivated to find flaws and less inclined to tell Apple about them.
But users need to take responsibly for their own mobile security and be extremely vigilant about the types of applications they install on their devices and the sources that publish them. Sure, there may be an “app for that.” But in the future, it may be safe and smart to be generally paranoid about installing brand new apps, especially if they come from questionable or unknown sources.
Al Sacco was a journalist, blogger and editor who covers the fast-paced mobile beat for CIO.com and IDG Enterprise, with a focus on wearable tech, smartphones and tablet PCs. Al managed CIO.com writers and contributors, covered news, and shared insightful expert analysis of key industry happenings. He also wrote a wide variety of tutorials and how-tos to help readers get the most out of their gadgets, and regularly offered up recommendations on software for a number of mobile platforms. Al resides in Boston and is a passionate reader, traveler, beer lover, film buff and Red Sox fan.