This Week's Sponsor:

Kolide

Ensure that if a device isn’t secure it can’t access your apps.  It’s Device Trust for Okta.


Security Researcher Demoes Bug To Execute Unsigned Code on iOS Devices

Security researcher Charlie Miller, former NSA analyst now working for consultancy firm Accuvant, plans to publicly demonstrate a new security hole that could allow regular App Store apps to download and execute unsigned code on any iOS device. As Forbes reports, Miller, who isn’t new to the Mac and iOS hacking and security scene, plans to detail his discoveries at the SysCan conference in Taiwan next week.

Full details of the security hole aren’t available – Miller is apparently saving the presentation for next week to give Apple time to fix the issue, and the company is indeed already working on an iOS 5.0.1 update – but Miller had a “stealth app” approved by Apple in the App Store to record a video of the hidden “functionality”. The app was called Instastock, and it behaved as a regular stock monitoring app until Miller recorded a video of his iPhone being subject to malicious attacks through the app, which has since been pulled. Apparently, since Apple found out about Miller’s app and YouTube video, he’s also been removed from the iOS Developer Program.

As you can see in the video, the app gets downloaded from the App Store as any other free or paid app. The first time Miller runs it on his iPhone, nothing happens and the app performs as advertised. But as soon as Miller activates the hidden functionalities on his web server, somehow connected to the iOS app, the app “phones home” and starts downloading and executing unsigned code. As per Apple’s technical rules and guidelines, App Store apps can only execute code approved by Apple. Yet with Instastock, Miller managed to make the iPhone vibrate remotely, open a YouTube video, and even download the device’s entire Address Book remotely. The app is seen exposing parts of the iOS filesystem, listing installed apps, and presumably giving access to a user’s documents, photos and more. In the video – which we’ve embedded below – you can also watch Miller execute commands remotely (from his computer to iPhone) using a command line interface.

Apparently, the hack has been made possible by a flaw in Apple’s JavaScript engine Nitro, introduced with iOS 4.3, that makes a series of system exceptions for Mobile Safari to render web pages faster. Forbes quotes Miller as saying “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Instastock has already been pulled from the App Store, and it’s unlikely that anyone else will figure out the exact bug that Miller has discovered before Apple releases iOS 5.0.1, which has reached beta 2 status and has been reported to introduce security fixes for iOS devices. Apple will likely include a fix for Miller’s discovery in iOS 5.0.1, but  in the meantime you can check out the interesting demo after the break.

Unlock More with Club MacStories

Founded in 2015, Club MacStories has delivered exclusive content every week for over six years.

In that time, members have enjoyed nearly 400 weekly and monthly newsletters packed with more of your favorite MacStories writing as well as Club-only podcasts, eBooks, discounts on apps, icons, and services. Join today, and you’ll get everything new that we publish every week, plus access to our entire archive of back issues and downloadable perks.

The Club expanded in 2021 with Club MacStories+ and Club Premier. Club MacStories+ members enjoy even more exclusive stories, a vibrant Discord community, a rotating roster of app discounts, and more. And, with Club Premier, you get everything we offer at every Club level plus an extended, ad-free version of our podcast AppStories that is delivered early each week in high-bitrate audio.

Choose the Club plan that’s right for you:

  • Club MacStories: Weekly and monthly newsletters via email and the web that are brimming with app collections, tips, automation workflows, longform writing, a Club-only podcast, periodic giveaways, and more;
  • Club MacStories+: Everything that Club MacStories offers, plus exclusive content like Federico’s Automation Academy and John’s Macintosh Desktop Experience, a powerful web app for searching and exploring over 6 years of content and creating custom RSS feeds of Club content, an active Discord community, and a rotating collection of discounts, and more;
  • Club Premier: Everything in from our other plans and AppStories+, an extended version of our flagship podcast that’s delivered early, ad-free, and in high-bitrate audio.