Welcome to the completely free source for all your iPhone news, iPhone Unlocks, iPhone Jailbreaks, iPhone Guides and Tutorials.Developers, and researchers around the globe have been working hard to open the device in hopes to achieve what Apple never intended. Tedsmobileworld aims to share all the hacking, mods, cracks, and discoveries with you — in one central location! Happy iPhoning!.

Chitika

Showing posts with label Booted. Show all posts
Showing posts with label Booted. Show all posts

Wednesday, November 9, 2011

Researcher Reveals Security Vulnerability in iOS; Demos It In Apple Approved App; Gets Booted From App Store

Security researcher and a former National Security Agency analyst - Charlie Miller has revealed that he has found a major security vulnerability in iOS that could allow malicious code to be executed on the iOS device, which could be used by the attacker to steal the user’s photos, read contacts, make the phone vibrate or play sounds etc.

Forbes reports:

Miller became suspicious of a possible flaw in the code signing of Apple’s mobile devices with the release of iOS 4.3 early last year. To increase the speed of the phone’s browser, Miller noticed, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system.

The researcher soon dug up a bug that allowed him to expand that code-running exception to any application he’d like. “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Miller also developed an app to show the vulnerability, which was briefly approved by Apple:

Miller, a former NSA analyst who now works as a researcher with consultancy Accuvant, created a proof-of-concept app called Instastock to show the vulnerability. The simple program appears to merely list stock tickers, but also communicates with a server in Miller’s house in St. Louis, pulling down and executing whatever new commands he wants. In the video below, he demonstrates it reading an iPhone’s files and making the phone vibrate. Miller applied for Instastock’s inclusion in the App Store and Apple approved the booby-trapped app.

Apple has quickly removed the app from the App Store and also terminated his developer license for breach for developer agreement.

“This letter serves as notice of termination of the iOS Developer Program License Agreement…between you and Apple,” the email read. “Effective immediately.”

This is not the first time Miller has found a security flaw in iOS. In 2009, he had discovered a security vulnerability in iPhone's messaging system.

Apple has a week's time to fix the security flaw as Miller plans to present his findings at the SysCan conference in Taiwan next week.

Do you think Apple has done the right thing by booting Miller out of App Store? Are you worried about the security vulnerability?

[via Forbes]


View the original article here

Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)