Watch LIVE

Expert Reveals Major App Security Flaw, Apple Retaliates With Year Suspension

News

“I miss Steve Jobs. He never kicked me out of anything.”

From a security and virus-prevention perspective, it helps that every app you download onto your iPhone or iPad comes from one source: the Apple App Store. But what happens if an app itself is compromised but has been cleared as safe by Apple?

Charlie Miller, whom Forbes playfully calls a "serial Mac hacker" and Ars Technica calls a "security researcher", planted a "sleeper app" in the App Store, which would allow the app to run unsigned code. Forbes reported that he will demonstrate his hack next week at the SysCan conference.

But very quickly after his hack around the system was announced, Miller had his Apple developer's license revoked for a year. Ars Technica reports that Apple operating systems are designed only to run code that is "digitally signed by the developer" and developers receive a special security clearance from Apple's Developer Program. Ars Technica continues with this explanation

But in iOS 4.3, Apple introduced a mechanism to allow exceptions to this hard and fast "signed code only" rule. To improve the performance of MobileSafari, Apple added an improved JavaScript engine called Nitro. First introduced in Safari on Mac OS X, Nitro works by first analyzing JavaScript code for a webpage, and then compiling it "just in time" into optimized native code.

"This code hasn't been signed, so there has to be a mechanism to relax those restrictions," Miller said. Normally, iOS's kernel won't let apps allocate memory that is writeable and executable. Either memory is allocated as writeable—able to store data—or it's executable—able to store signed instruction code. However, iOS 4.3 introduced "sandboxing entitlements," special exceptions granted on a very limited basis, to allow things like Nitro's JIT JavaScript compilation to work. In iOS 4.3 and later, MobileSafari has an entitlement called "dynamic code signing."

"MobileSafari is allowed to have a single special region of memory to write JIT code to memory and allow it to execute," Miller explained. "Only MobileSafari is supposed to have this." Miller said that even this entitlement is well-protected. If MobileSafari were hacked, it couldn't create an additional executable area of memory, and it couldn't affect other apps outside of its sandbox.

The problem that Miller discovered is actually a flaw in the part of iOS that checks to make sure that only MobileSafari has the special ability to create an area of memory that is both writeable and executable. "That allowed my app to create its own special area of memory to download and run unsigned code."

So basically, as Miller told Forbes, almost anything on the app store could be compromised. But Reuters (via Huffington Post) reports that as far as everyone knows this vulnerability hasn't been taken advantage of.

With regard to being kicked off the app developer cohort, a separate post by Forbes reports Miller as essentially saying it wouldn't have happened as such under previous management:

 “I miss Steve Jobs,” he says. “He never kicked me out of anything.”

Miller, works for Accuvant Labs as a researcher, has given Apple a heads up about several security flaws in their products over the last few years. According to Apple's letter revoking Miller's privileges, reported by Forbes, they believed he had violated his agreement to not “hide, misrepresent or obscure” any part of the app.

Most recent
All Articles