iPhone Security Flaw Shows Potential for App Store Malware

Today's Best Tech Deals

Picked by PCWorld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

The iPhone App Store has a reputation for rock-solid security, but that rep took a hit this week when an app that could run unauthorized code and control phones remotely was released to the public.

Luckily, this bad app was released for research purposes--not malicious ones.

Security researcher and famous Mac hacker Charlie Miller demonstrated an iPhone security flaw using a dummy stock ticker app that Apple unwittingly accepted into the App Store. The app was able to call a remote computer, which could then download unsigned code to the iPhone, harvest sensitive data, and trigger actions such as vibrations and ringtones.

Apple has already removed the program from the App Store, and has terminated Miller's developer license, Forbes reports.

Miller plans to describe the flaw in detail at the SysCan conference in Taiwan next week, but the gist is that mobile Safari's "Nitro" JavaScript engine, released with iOS 4.3, requires the privilege of running unapproved code in a region of the iPhone's memory. Miller's exploit extends this privilege to other apps, which are usually barred from running unapproved code in the same way as Safari for security reasons.

iPhone users needn't panic; the offending app is already gone, and Miller expects Apple to squash the security bug to prevent legitimate attacks. Still, this exploit proves that the App Store's strict security measures aren't impenetrable. Security researchers have been saying this for years, but Miller has actually demonstrated it in the real world.

Follow Jared on Facebook, Twitter or Google+ for even more tech news and commentary.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Shop Tech Products at Amazon