Apple reviews every app that is available in the app store to make sure it is safe to use. Forbes reported on Charlie Miller an Apple security researcher who found a way for seemingly safe app to turn evil. Miller created an app that was able to pass all of Apple’s review tests and was available on the app store. Apple has removed the app that Miller used as an example of the security hole, and has removed him from the Apple developer program.
Miller’s app appeared as a run of the mill stock checking app which communicated with a server in his house. When the app was reviewed by Apple it looked like a normal app, and didn’t raise any red flags. The app uses security issues related to Apple’s mobile Safari app which allows apps to run code that wasn’t seen or approved by Apple.
Miller demonstrates just how powerful this kind of app can be by downloading the app and showing how it looked to Apple’s review team. He then updates the app’s code on his computer and re-downloads the same program. Upon start up Miller was able to access all kinds of information stored on the phone. Miller says that he is able to download contacts and pictures stored on the phone, and all of this is done without the phone user having any idea what is going on.
We have seen other security holes on Apple’s iOS devices, but nothing to this degree. Many jailbreakers used a PDF exploit to easily jailbreak their phones. Miller is scheduled to speak at a conference next week where he will further demonstrate how the exploit works, and hopes that Apple pays attention to fix the problem. Miller says that any app on the market would be able to use this technique to tap into users phones, and until Apple fixes the problem that any app can be a threat.