Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked

[bydandie]

Has anybody other than researchers looking for headlines successfully submitted a trojan into the iOS App Store?

No, because the requirements for acceptable apps via Apple's vetting process virtually eliminates the likelihood of getting profitable enough malware in the app store to warrant making the effort to do so.

Google allows anonymous signup and self signed certificates with much less vetting. Coincidentally, the Android market has much more incidences of malware.

<snip>

This is why malware is not yet a significant issue for iOS. Other much easier platforms are available to target.

First off yes, malware isn't a major issue on iOS (as far as we know anyway), and the Android ecosystem is flawed and promotes malware due to poor checks.

I do, however, disagree with some of your assertions:

1 - Miller was able to get this app past the validation checks, how many others have?

2 - There is a lot of money being targeted at mobile devices to try and exploit them, iOS is a target.

3 - What validation is required to get a developer account, and what is the time to detection in the event of information harvesting going on? Unless you see that the app is doing something bad, the front end could be very useful and get great ratings, therefore pose a decent return.



Simple fact is that neither you or I can state with any certainty that the iOS app process is or isn't safe. I do believe that iOS is more secure, and any malware getting through will be less due to it. I also know that this flaw will be patched soon now, and the ecosystem will be better for it.

 

[something3153]

Oh, yes, my love of Apple. You know nothing about me.

I've read enough of your posts to make that judgement call, yes. For example, explain away the one I responded to. You made a completely unfounded assumption that was the only way to exonerate Apple. Why did you make that assumption?

Until you explain that away, I'll feel perfectly free to judge you on what I see you post.

 

[ChazUK]

Android 3.5 is probably early builds of ICS.
Remember, version numbers are an arbitrary thing and can always be in flux until final release.

The developer.android.com link is by released versions only, so it's incomplete.
The wikipedia page has to be updated by people, so it's also incomplete.

If it is an early version of ICS, what exactly did they test it on? I'd love to know how they'd gotten access to an unreleased build and what it was running on when tested and why we only have 3.2.1out now.

All ICS news leaks I've seen have pointed to a 4.0 release. The only references to Android 3.5 I can find was from 2010 when people were assuming Gingerbread was going to be 3.0 after a Samsung Galaxy Tab Q&A.

http://www.slashgear.com/samsung-confirm-android-3-5-honeycomb-for-tablets-02100317/

 

[r.j.s]

I've read enough of your posts to make that judgement call, yes. For example, explain away the one I responded to. You made a completely unfounded assumption that was the only way to exonerate Apple. Why did you make that assumption?

Until you explain that away, I'll feel perfectly free to judge you on what I see you post.

Because it is in Miller's interest for Apple to not patch it right away, so why would he point them directly to the vulnerability.

But, hey, you just assume I'm in love with Apple.

 

[Daveoc64]

It just seems like Apple can't win with some people.

If they lock down the javascript compiler on the iPhone, it's a walled garden or Apple is intentionally slowing down apps. If they speed up javascript processing by allowing applications (outside of Mobile Safari) to leverage the faster Nitro engine then the nature of the JIT obviously allows for potential vulnerabilities. Make up your minds.

This is complete nonsense.

All modern browsers (IE9+, Firefox, Google Chrome, Opera etc.) have JavaScript interpreters that work at a very low level yet they don't have these security flaws.

I really don't see why Safari in iOS has to be the exception and why Apple has got their panties in a twist over implementing the feature so slowly.

 

[MagnusVonMagnum]

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; en-gb) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5)

I guess he should have told apple about it instead of submitting that app

No way. Now he's famous in IT circles and can get a MUCH better paying job. (Just ask all the hackers who broke into famous systems and are now making millions as security consultants). Talking about it doesn't cut it. You have to prove it and make (others) aware of it in a loud way. Quietly telling Apple about it wouldn't help his career one iota. Apple would plug the hole and this guy would still be a small fry.

 

[r.j.s]

No way. Now he's famous in IT circles and can get a MUCH better paying job. (Just ask all the hackers who broke into famous systems and are now making millions as security consultants). Talking about it doesn't cut it. You have to prove it and make (others) aware of it in a loud way. Quietly telling Apple about it wouldn't help his career one iota. Apple would plug the hole and this guy would still be a small fry.

Charlie Miller was famous long before this stunt.

 

[Hurda]

Because it is in Miller's interest for Apple to not patch it right away, so why would he point them directly to the vulnerability.

What does he gain from Apple not patching it? A warm and fuzzy feeling?

 

[aperry]

Found an exploit and showed proof on concept in an Apple product. Nothing more than that.

If it was anyone else the same group praising Apple would call the other company in the wrong.

It is nothing more than Apple worship.

Apple has an explicit license agreement that he agreed to. Then he knowingly broke the agreement. So Apple terminated his license. In your words, it's "nothing more than that".

No idea how any of this equates to "Apple worship".

 

[bydandie]

No way. Now he's famous in IT circles and can get a MUCH better paying job. (Just ask all the hackers who broke into famous systems and are now making millions as security consultants). Talking about it doesn't cut it. You have to prove it and make (others) aware of it in a loud way. Quietly telling Apple about it wouldn't help his career one iota. Apple would plug the hole and this guy would still be a small fry.

As he is a published author on Mac security with wide press coverage in the popular press (certainly in the UK), I have to disagree with your views.

 

[r.j.s]

What does he gain from Apple not patching it? A warm and fuzzy feeling?

The ability to drop it on them a month before one of his talks, which he publicizes by saying, Apple hasn't patched this vulnerability he just told them about, even though he knew about it 7 months before he told them.

 

[something3153]

Because it is in Miller's interest for Apple to not patch it right away, so why would he point them directly to the vulnerability.

But, hey, you just assume I'm in love with Apple.

I do, because I've read a lot of posts from you, I'll go on doing that as long as you keep providing evidence.

 

[Rodimus Prime]

Apple has an explicit license agreement that he agreed to. Then he knowingly broke the agreement. So Apple terminated his license. In your words, it's "nothing more than that".

No idea how any of this equates to "Apple worship".

The hate on the gut is the Apple worship part.

 

[r.j.s]

The hate on the gut is the Apple worship part.

Really? I'm not allowed to criticize (no hate here) Miller? The timing points to it being a stunt. He just got a different reaction from Apple than he expected. If he read his agreement, he would have seen it coming.

I don't see how that translates to Apple worship.

 

[Hurda]

The ability to drop it on them a month before one of his talks, which he publicizes by saying, Apple hasn't patched this vulnerability he just told them about, even though he knew about it 7 months before he told them.

He does that at every Pwn2Own he attends, no need to force it, really.
And again, knowing about a (possible) bug, which may or may not be exploitable, and having an actual exploit ready (in his case September) are two different pair of shoes. What do you think the Apple security-team gonna do when he tells them there might maybe probably be a bug in Nitro. "Take a hike and come with facts.", that's what they'd say.

He still had to funnel around in MobileSafari's Nitro-sandbox-exception to find that one unchecked place to flesh out for an exploitable bug.

Considering he had to dig that deep, in comparison to the umptieth PDF-exploit used for jailbreaking of 4.3, kudos to Apple's security team.

 

[krzyglue]

Really? I'm not allowed to criticize (no hate here) Miller? The timing points to it being a stunt. He just got a different reaction from Apple than he expected. If he read his agreement, he would have seen it coming.

I don't see how that translates to Apple worship.

I dunno, "attention whore" is a pretty loaded phrase.

Oh and am I correct in saying you believe that he should have done absolutely nothing to draw any attention to the issue, that Apple should not have to be subjected to all the subsequent scrutiny?

 

[r.j.s]

I dunno, "attention whore" is a pretty loaded phrase.

Oh and am I correct in saying you believe that he should have done absolutely nothing to draw any attention to the issue, that Apple should not have to be subjected to all the subsequent scrutiny?

Apple should be subject to scrutiny, but I'm saying give them some more time to deal with the flaw than just three weeks.

 

[tblrsa]

I´ve read some twitter responses of Charlie Miller. While this guy certainly does have some knowledge, he also appears to be a big crybaby and the kind of guy who wants to get attention, no matter what.

Apple deleted the account because he violated the TOS, he should have had a private talk with Apple instead. This way Apple could fix, without giving hackers the hint on how to bypass security checks. If you have ever read the Security Notes on Apples Updates, you will note that Apple always does give credit to the researcher anyway.

 

[JAT]

The headline of the Macrumors post was somewhat misleading.

He didn't only discover the weakness. That would have gotten him a big pat on the back.

He also managed to get an app approved that exploited it.

Nobody needs that.

Apple was right to revoke his developer license.

See, this is the key point that is not being addressed much. There were 2 events here. One is a normal exploit-reporting publicity stunt, no big deal. The other is an attack on Apple's AppStore, the like of which has never before been successful to this extent. This event is going to cause an unknown mess.

What confuses me is how a guy can be intelligent enough to do work like this (sneaking a trojan past the AppStore), but is surprised when clearly stated consequences occur. Reminds me of the opening scenes of Sneakers, except Charlie wasn't hired, here.

I stand by my earlier post, this will blow over. He'll get his developer account back. People should relax and grab some popcorn rather than yelling at others over what they think should happen.

 

[linuxcooldude]

If people really feel the need to build malicious apps to prove their point, just turns these developers & security researchers into hackers. In the end the customer suffers because of these antics. And allows others to exploit people with these apps released into the wild.

After reading through these posts It does sound to me more as a publicity stunt for his next conference coming up.

 

[Rodimus Prime]

Really? I'm not allowed to criticize (no hate here) Miller? The timing points to it being a stunt. He just got a different reaction from Apple than he expected. If he read his agreement, he would have seen it coming.

I don't see how that translates to Apple worship.

some like you might be that way but most of this hate is because this guy expose a major hole in Apple's iOS.

You know as well as I do if it was any other company he did this to (Microsoft WP7 or Google's Android) that most of the people who be cheering for him and saying how those products suck for that reason.
But god forbid Apple get nailed for the same thing.

 

[Hyper-X]

Why go after a relatively tiny number of mobile phones, when you can go after a large number of computers running much easier to exploit OSs, such as Windows XP?

It's not so much that XP is more exploitable, more people use mobile phones in place of things that used to be reserved for computers like email. I'd always argue that more people keep updated contact info (and simply a lot more contacts stored within their phones and tablets) than in their address books on their machines.

It doesn't make sense to go after iOS devices unless the monetary gain is more direct, such as with the inclusion of privilege escalation.

Sure it does. There are more iOS users than there are Mac OS X users. According to the phone marketshare Apple has almost half, which wouldn't be too far off to think that it's nearly as many as Windows 7 or XP users.

Charlie Miller didn't exploit the app store anonymously, that doesn't mean he couldn't have. If he also incorporated ID theft into the mix which would put him in a very serious situation, there's zero doubt that it would've worked, but that wasn't his intent nor was it important to do. What he proved was more than sufficient, it debunked the myth that iOS is completely secure, it also disproved that the App Store can't accept exploited apps. This isn't like many of Vupen's security bulletins where they claim something might be used to take advantage of a vulnerability, Miller actually did it.

Google is not very forthcoming with providing details about what is patched in each update.

Neither is Apple so what's your point. Many companies don't always reveal all the details within each update.

 

[polaris20]

Most of the time I quite like Charlie, and I also obviously like Apple. I wish they could work it out amongst themselves without causing this big blow-up. He's good for the Apple community, and good for security.

If it were me that had this knowledge and ability, I would have:

1. Found the bug
2. Told Apple about the bug (which he did; timing to be argued )
3. Done the app, and submitted it to the Apple Store
4. Privately told Apple what they've just approved, without grandstanding

I think Apple would have been a little more receptive, despite still being a violation of the ToS.

 

[D.T.]

Most of the time I quite like Charlie, and I also obviously like Apple. I wish they could work it out amongst themselves without causing this big blow-up. He's good for the Apple community, and good for security.

If it were me that had this knowledge and ability, I would have:

1. Found the bug
2. Told Apple about the bug (which he did; timing to be argued )
3. Done the app, and submitted it to the Apple Store
4. Privately told Apple what they've just approved, without grandstanding

I think Apple would have been a little more receptive, despite still being a violation of the ToS.

Outstanding post and my exact thoughts. I _do_ think to be effective he needed to try to slip it in without any advance warning, but the real change in his approach is your number 4 (and by doing such, and making a point about my aforementioned need to do this covertly without grandstanding...).

It's not about what he did, just how he went about it, but hey, not everyone can operate with a little tact (see this board for further examples )

 

[Hyper-X]

Most of the time I quite like Charlie, and I also obviously like Apple. I wish they could work it out amongst themselves without causing this big blow-up. He's good for the Apple community, and good for security.

If it were me that had this knowledge and ability, I would have:

1. Found the bug
2. Told Apple about the bug (which he did; timing to be argued )
3. Done the app, and submitted it to the Apple Store
4. Privately told Apple what they've just approved, without grandstanding

I think Apple would have been a little more receptive, despite still being a violation of the ToS.

Despite what happened Charlie did violate the terms plain and simple however I think Apple's less concerned with that than the fact that it took away Apple's ability to provide "plausible deniability". Miller put a lot of pressure on Apple due to the media exposure of his successful exploitation.