by Al Sacco

iPhone Dev Sneaks Malware Into Apple App Store, Feels Swift Wrath of Cupertino

Nov 08, 20113 mins

An iOS security researcher who submitted a tainted iPhone application meant to expose a weakness in Apple's App Store security process has been suspended from Apple's developer program. And rightly so—he violated clear terms of service. But what does that say about the security of all those random apps on your iPhone, iPad and iPod?

Charlie Miller, a well-known iOS security researcher has made it his job—or at least a hobby– to identify security flaws in Apple software. And he recently found a good one…or a bad one depending on your standpoint on iPhone/iOS security.


Miller’s latest finding exploits a flaw in Apple’s iOS software that enables an App-Store-approved application, a seemingly harmless stock-monitoring app he built called “InstaStock,” to download and install potentially malicious code from third-party sources onto users’ iOS devices. That code could do things like trigger random notifications or processes and steal or modify sensitive data stored on those devices. (Check out the video above for details on how this exploits works.)

And, after submitting the InstaStock app and having it approved back in September, to demonstrate that such an app could fly under Apple’s radar and make it onto everyday users’ gadgets, Apple yesterday went ahead and booted Miller from its developer program for at least a year.

Miller made the news of his suspension public yesterday via Twitter:

“OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!” the researcher wrote, err, “tweeted.”

I completely understand why Apple decided to remove Mr. Miller from its iOS developer program; he clearly violated developer terms of service that he previously agreed to. (Specifically, Miller violated sections 3.2 and 6.1 of Apple’s iOS Developer Program License Agreement, according to CNet.) And Miller was undoubtedly both thumbing his nose at Apple a bit and drawing the Internet spotlight—and media hype–to himself and his work.

But I also see why Miller would submit such an application to the App Store while knowingly violating some terms of service. In his own words, again via Twitter:

“For the record, without a real app in the AppStore [sic], people would say Apple wouldn’t approve an app that took advantage of this flaw.”

Miller also claims to have notified Apple three weeks ago about the vulnerability that enabled such an application to sneak into the App Store. If that’s true, then I’m not sure Miller has done anything really wrong, expect perhaps waiting longer than he should have to contact Apple. In fact, he seems to have identified what could have become a serious security issue for Apple at some point down the line.

Bottom line: Security issues will continue to be identified in mobile devices and platforms. And Apple’s suspension of Miller won’t keep him from digging into iOS software in hopes of finding more potential programs—in fact, he may now be more motivated to find flaws and less inclined to tell Apple about them.

But users need to take responsibly for their own mobile security and be extremely vigilant about the types of applications they install on their devices and the sources that publish them. Sure, there may be an “app for that.” But in the future, it may be safe and smart to be generally paranoid about installing brand new apps, especially if they come from questionable or unknown sources.