Expert Reveals Major App Security Flaw, Apple Retaliates With Year Suspension
- Posted on November 8, 2011 at 5:28pm by
Liz Klimas
- Print »
- Email »
From a security and virus-prevention perspective, it helps that every app you download onto your iPhone or iPad comes from one source: the Apple App Store. But what happens if an app itself is compromised but has been cleared as safe by Apple?
Charlie Miller
Charlie Miller, whom Forbes playfully calls a “serial Mac hacker“ and Ars Technica calls a ”security researcher“, planted a “sleeper app” in the App Store, which would allow the app to run unsigned code. Forbes reported that he will demonstrate his hack next week at the SysCan conference.
But very quickly after his hack around the system was announced, Miller had his Apple developer’s license revoked for a year. Ars Technica reports that Apple operating systems are designed only to run code that is “digitally signed by the developer” and developers receive a special security clearance from Apple’s Developer Program. Ars Technica continues with this explanation
But in iOS 4.3, Apple introduced a mechanism to allow exceptions to this hard and fast “signed code only” rule. To improve the performance of MobileSafari, Apple added an improved JavaScript engine called Nitro. First introduced in Safari on Mac OS X, Nitro works by first analyzing JavaScript code for a webpage, and then compiling it “just in time” into optimized native code.
“This code hasn’t been signed, so there has to be a mechanism to relax those restrictions,” Miller said. Normally, iOS‘s kernel won’t let apps allocate memory that is writeable and executable. Either memory is allocated as writeable—able to store data—or it’s executable—able to store signed instruction code. However, iOS 4.3 introduced “sandboxing entitlements,” special exceptions granted on a very limited basis, to allow things like Nitro’s JIT JavaScript compilation to work. In iOS 4.3 and later, MobileSafari has an entitlement called “dynamic code signing.”
“MobileSafari is allowed to have a single special region of memory to write JIT code to memory and allow it to execute,” Miller explained. “Only MobileSafari is supposed to have this.” Miller said that even this entitlement is well-protected. If MobileSafari were hacked, it couldn’t create an additional executable area of memory, and it couldn’t affect other apps outside of its sandbox.
The problem that Miller discovered is actually a flaw in the part of iOS that checks to make sure that only MobileSafari has the special ability to create an area of memory that is both writeable and executable. “That allowed my app to create its own special area of memory to download and run unsigned code.”
So basically, as Miller told Forbes, almost anything on the app store could be compromised. But Reuters (via Huffington Post) reports that as far as everyone knows this vulnerability hasn’t been taken advantage of.
With regard to being kicked off the app developer cohort, a separate post by Forbes reports Miller as essentially saying it wouldn’t have happened as such under previous management:
“I miss Steve Jobs,” he says. “He never kicked me out of anything.”
Charlie Miller tweets how he feels about his developers license being revoked.
Miller, works for Accuvant Labs as a researcher, has given Apple a heads up about several security flaws in their products over the last few years. According to Apple‘s letter revoking Miller’s privileges, reported by Forbes, they believed he had violated his agreement to not “hide, misrepresent or obscure” any part of the app.
Comments (19)
Sign In To Post Comments! Sign In
Popular Stories
Does Misstated Marathon Claim Prove Paul Ryan Is Dishonest? (POLL) 688 Comments
‘Jumah at the DNC’ Speaker: ‘Muslims Visited America Prior to Columbus’ & ‘It Was a Muslim’ Who Guided Him to the ‘New World’ 536 Comments
Paper Details Obama Admin’s Alleged Secret Note Sent to Iran: If Israel Attacks, We Won’t Get Involved 458 Comments
Obama: RNC Like Watching ‘Black-and-White TV’ Because Romney ‘Did Not Offer a Single New Idea’ 374 Comments
Roseanne Barr: Most Billionaires ‘Violent Pedophiles’ & ‘Heartless’ Cocaine Addicts 333 Comments
Faith
This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 303 Comments- Pakistani Muslim Cleric Accused of Framing Disabled Christian Girl in Koran-Burning Case Read More
- ‘Made Up Religion’: TV Historian Enrages Muslims, Receives Threats After Producing UK Documentary Questioning Islam’s Beginnings 315 Comments
Meet the Controversial German Imam Accused of Brutally Beating His Wife & Pushing Sharia Law Read More
‘Self-Proclaimed Messiah’ & Unification Church Leader the Rev. Sun Myung Moon Has Died — Here’s His Life Story Read More
Business
President Obama Issues Major ‘Green Energy’ Executive Order 213 Comments- Germany’s Upcoming Court Ruling Will be Huge for the EU Read More
Ford Looks to Beat Toyota for Best-Selling Car in 2012 With This Model 148 Comments
Bernanke & QE3: Here’s What You Need to Know Read More- ‘Extortion’: Why Did the Labor Department ‘Drop the Hammer’ on Oregon Farmers? 301 Comments
Technology
- This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 303 Comments
‘TaserDrone’: Hackers Weaponize Quadcopter With Actual ‘Shocking’ Technology Read More
Ever Heard of the Wild ‘Burning Man’ Festival in the Middle of the Nev. Desert? Here’s Your Primer Read More
Stanford Develops Technology ‘Better Than Steroids’ for Athlete Recovery Read More
Have You Pretended to Know What ‘the Cloud’ Is? You’re Not Alone Read More
Submitting your tip... please wait!
GhostOfLiberty
Posted on November 9, 2011 at 2:17pmApple sucks anyway. This guy could go far on the Android platform. It is basically the same as the iOS because all an Apple OS is, is nothing more than BSD2: Electric Boogaloo.
What I mean is that Apple used open source code to create the Apple OS. Android is Linux, which is also open source, and will stay open source. You can modify the Android OS as you see fit and then redistribute it at will. It says so right in the Licensing packet. This means that there are no holds barred in Android. Do what you want, and make it kick ass. With the iOS, do what THEY want, and be restrained forever. Unless you jailbreak your iphone. But, technically Apple could turn around and sue you for tampering with code relevant to “trade secrets” or some BS like that.
It’s good that Steve Jobs is dead. Maybe this abomination of an OS will follow him if we are lucky.
Report Post »skitrees
Posted on November 9, 2011 at 5:52pm- “Linux, which is also open source, and will stay open source” yeah, like Red Hat, right?
The fact is – almost routinely, when it comes to open source apps – given enough time, they either sell out or fizzle out because at some point the developers realize they need to support themselves somehow. The idea that socialism works (even in software) is proven wrong over and over and over again. When Google entered the picture and became a driver of the open source market (using the free labor of others to build its product/profits on, then returning tools to the free labor/slaves so that they could be more efficient in making Google profits), THEN there is some sustainability with “open source” code. The difference is, Microsoft paid their workers.
Report Post »lawrench
Posted on November 9, 2011 at 12:33pmWell, I think he had to upload the app that would exploit the flaw as a proof of concept. If he did not do that, then there is not a way to verify the flaw. While he did violate the agreement, there should be an exception made in this case. I believe it says more about the Apple QA process than it does about this guy. If such a controlled process can be exploited, how can we ever trust the “Unhackable” Apple iOS?
Report Post »CheckeredFlag
Posted on November 9, 2011 at 10:59amRead the full Ars Technica story. He did not get in trouble for exposing the bug. In fact, Apple was intending to recognize his work:
“Miller alerted Apple about the weakness three weeks ago. The company acknowledged it and asked how Miller should be credited in a security bulletin that accompanies most iOS release notes.”
Where he went wrong was by also submitting an app to the store that intentionally exploits the problem:
“One thing Miller did not tell Apple, however, is that he had an app in the App Store that took advantage of the flaw. A few hours after the news broke, Miller received an e-mail from Apple noting that his developer program access had been revoked for a period of one year for violating its terms of service.”
Heavy handed? Perhaps, but he intentionally violated the terms of service.
Seems equivalent to notifying the TSA about a weakness you observe vs sneaking a bomb on to a plane to expose that weakness. The latter will certainly get you arrested for “doing the right thing”.
Report Post »The Bear Story
Posted on November 9, 2011 at 8:13amI see bigger and better things happening for this guy. That was the plan right.
Report Post »1973flh
Posted on November 9, 2011 at 6:08amThanks for the detailed explanation of the security vulnerability. Most people won’t understand it but those with a computer background will.
Report Post »IslandMama
Posted on November 9, 2011 at 5:47amShame on Apple! You don’t fire the messenger. This man discovered – and reported to Apple – a secrurity flaw in their operating system that could allow hackers to compromise any and all apps already in use – this could affect ALL Apple iPhone users who download or run those apps on their phones. That is what he is saying. Apple got mad at him because the way he discovered it wa to OMIT something in his app that the operating system should have noticed was missing and then not allowed his app to run. He did it as a test. A test Apple should have done on its own and clearly has not. When he delivered the bad news, they got mad. It appears he did not go public with this until AFTER they kicked him out as a developer. Shame on them. Someone, please hire this guy.
Report Post »loriann12
Posted on November 9, 2011 at 7:11amMy first thought was they wanted it there, and he exposed them.
Report Post »Spyder
Posted on November 9, 2011 at 9:55amLoriann,
Report Post »You read my mind.
slimster
Posted on November 9, 2011 at 1:52amIt would have been better for him to bring the problem to apple so they can fix it before he tells everyone who might use it to maliciously. But this have been an obvious problem for a long time and I’m surprised apple has not found a fix for it yet.
Report Post »Bakko Bomma
Posted on November 9, 2011 at 1:48amHe should go work for ANONYMOUS. They could use a real hacker.
Report Post »Conservative2
Posted on November 9, 2011 at 1:04amHe makes full sense, how lame of apple to allow this, just to make the on time release of their newest product.
Report Post »Gumbercules
Posted on November 9, 2011 at 12:44amThermonuclear physics is easier to understand than this guys explanation of the App security flaw.
Report Post »jujubmuse
Posted on November 8, 2011 at 11:56pmI can’t believe apple did that to him
Report Post »theaveng
Posted on November 9, 2011 at 12:17amI can. Apple’s acted like a tyrant for several years now.
Report Post »UlyssesP
Posted on November 9, 2011 at 10:18amWhy? Is Apple so great? Search Foxconn and Apple together and read about the people who actually make Apple’s iPads, etc. Read about the corporate culture that is so depressing the employees are on suicide watch.
Report Post »Enjoy that iPad.
Anonymous T. Irrelevant
Posted on November 9, 2011 at 10:42amYet none of these iPad/iPhone users will protest “the great Apple” like they did Nike and other sweat shops.
Report Post »SCARY
Posted on November 8, 2011 at 11:44pmI really,really tried to understand anything in that story.Just..couldn’t ..do it.
Oh well,back to Call of Duty.
Report Post »YoungConservativesRule
Posted on November 8, 2011 at 11:36pmPoor dude…
Report Post »