Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked
- Thread starter wrldwzrd89
- Start date
- Sort by reaction score
Some random thoughts:
The same thing was done to Android back in the early days: researchers would upload apps with intentionally "malicious" code just to get proof and publicity.
--
Android has several hacker groups who are constantly checking new apps for malicious code. It helps that an Android app must declare many security options before it can be installed, whereas an iOS app does not. If an Android tip calculator wants internet and contacts access, you can be sure that someone is checking it out.
--
The very first iOS update ever released came about because a group was threatening to publish a giant hole that Apple hadn't fixed even after being privately told about it.
Every iOS update since has included security fixes, some pretty major. There's no way to guarantee that the current version doesn't have holes. In fact, it's almost certain that it does.
--
Apple has been living in a house built of cards and they know it. At any time it could come tumbling down if it turns out that truly malicious code secretly got in and stole information.
There is no way for Apple to detect all unapproved code, especially with the tiny amount of time they have to vette incoming apps. Heck, a kid was able to sneak in a hotspot in his flashlight app. Can't get easier to find than that.
For a hacker, it would be smart to have code that wakes up in a few months or even a year, so it would not be detected early on.
With all the apps in the Apple App Store, I think there's a good chance there are a few right now with code that no one has detected.
The same thing was done to Android back in the early days: researchers would upload apps with intentionally "malicious" code just to get proof and publicity.
--
Android has several hacker groups who are constantly checking new apps for malicious code. It helps that an Android app must declare many security options before it can be installed, whereas an iOS app does not. If an Android tip calculator wants internet and contacts access, you can be sure that someone is checking it out.
--
The very first iOS update ever released came about because a group was threatening to publish a giant hole that Apple hadn't fixed even after being privately told about it.
Every iOS update since has included security fixes, some pretty major. There's no way to guarantee that the current version doesn't have holes. In fact, it's almost certain that it does.
--
Apple has been living in a house built of cards and they know it. At any time it could come tumbling down if it turns out that truly malicious code secretly got in and stole information.
There is no way for Apple to detect all unapproved code, especially with the tiny amount of time they have to vette incoming apps. Heck, a kid was able to sneak in a hotspot in his flashlight app. Can't get easier to find than that.
For a hacker, it would be smart to have code that wakes up in a few months or even a year, so it would not be detected early on.
With all the apps in the Apple App Store, I think there's a good chance there are a few right now with code that no one has detected.
Putting words in my posts now I see. I never said that, I said "pay attention to context if you're going to interject".
What is it with you today ?
FTFY
That's be right there with cracking the jackpot at next week's lottery to accomplish that. I doubt stock-app #85442 did have that much public attention to get that chance.
So I re-watched that video he posted and after the two-minute mark he does say that it only checks for the payload the very first time you launch the app, which explains why he keeps uninstalling and reinstalling the app.
Wouldn't he have been shocked if while making the video, he found himself logging into somebody else's phone and downloading their address book?
So he narrowed the odds of connection here, but the users of the app still don't know for sure if he did anything so it leaves them in an uneasy state. He probably kept solid logs of all "phone home" connections or kept his "phone home" server down until he was making his video. I still think that maybe one more layer of checks like the devices current DHCP server would have been smart to avoid in inadvertent unsuspecting user from getting their phone logged into.
Being able to prove that the code could not have hacked anybody's phone would go a long long way for some folk's ease of mind.
I'm also curious about the download statistics on this Instastock app? Did it become popular in the time since September?
FYI, on Miller's Twitter account he claims that no device ever received a payload from his "phone home" server but his own.
UPDATE: Also on Miller's Twitter account he claims when he exposed a bug in Android that Google tried to get him fired from his employer.
I am willing to bet he the server down until he made the video the test it. After he did the testing he promptly took the server back down and might of gone even farther to tell the server only to accept incoming connections from a single IP address.
Another way to do it is when it does its check for the server IP it checks like 192.168.1.xxx and anyone who does any minor among of home networking will noticed that it is a home network IP address. That make it impossible for an outsider to catch it unless he was on his home network.
The ways to do it can be pretty long. Hell it could have it go to www.somerandomwebsitename.com and then on the routers hosting table that redirects it to his home server. Limits the amount of damage that can be done and put it on a closed system.
I haven't been following the rest of this conversation, so excuse my interjection. But the from what I understand the app was approved in September and he told Apple about the flaw on October 14th -- though according to Miller on Twitter, he did not tell Apple about the app's existence in October.
So Apple has had three weeks to respond to Miller, and he also tells the Macalope on Twitter that Apple acknowledged the bug. Perhaps this fix is included in iOS 5.0.1 (and it should be given that by the time he explains the exploit it would have been a full month).
My only beef with Miller is that he subjected unsuspecting users to the uncertainty of not knowing whether or not he downloaded stuff from their phones. The odds of any problem were slim, but really, everybody just has his word that no other device downloaded a payload but his own -- assuming anybody actually installed the apps besides Miller.
It would have been cool if the app had an additional check -- or perhaps even prompted the user if a payload was found if they wanted to install it and test the iOS exploit -- just to at least notify them that they would be giving potential access to their device. If the app had such code, then a review of the code could provide users with ease of mind. If he did such a prompt he would have had to obfuscate the strings/text for the prompt message otherwise it would have been a tip-off to the approver (something a malicious hacker would not have provided to them).
Yeah, he could have used a 192.168 or a 10.0 address -- that would have certainly shielded any other users who might have downloaded it. All sorts of techniques are available, of which Miller is keenly aware. I'm betting that nobody downloaded this app -- or at least nobody is aware that it is tied to today's news in computer security.
To put it simply, if he had simply reported the bug and announced it without doing a full proof of concept, Apple would have said "yes, but we would have NEVER approved an app with this exploit, so it was never an issue." By testing the full path, Apple can't fall back on their review team as a savior. The real question is has anyone else discovered this, and are there other rogue apps in the app store using this exploit? That's what people should REALLY be worried about.
To put it simply, you don't make an app available for non-researchers if your intent is to notify the people who can fix the security bug.
You report the bug, you give those people the information they need to resolve it. You wait a reasonable amount of time, and if the bug still isn't fixed, you publish the information to apply pressure and so that other researchers can verify it.
If the bug is verified, but the appropriate security team blows it off with the "it'll never happen" you describe above, *then* you make some arrangements to create a special developer account and add the app, setting it's for-sale date for some time significantly in the future so that, even after approval, no one can actually download it. Then, you contact the appropriate developers and inform them that "yes, someone *can* get it through, here's the proof".
There's good ways to go about this sort of thing, and there's bad ways. This guy picked a particularly bad way, and really shouldn't be surprised that his dev account got burned as a result.
I spoke with a company representative today from a large integration house who informed me that they have independently filed a report with cybercrime.gov on this event. Apparently they have been contacted by customers who had installed the Trojan app and have serious legal concerns about compromised information.
Charlie may have been really stupid here, not just ego centric.
Charlie may have been really stupid here, not just ego centric.
Finally found the news post I was looking for, and why it stuck to my head about CM. This was linked as part of a separate story relating to him.
http://www.dailytech.com/Apple+Patc...Year+After+Initial+Discovery/article15427.htm
And wouldn't you think Apple would send in the wolves if someone claimed to have told them about a hole, but didn't?
Miller was able to get this app past the validation checks because the app was unable to do any significant activities in relation to what is required to make actually profitable malware.
This bug provides no good vectors to achieve profitable returns. Combine that with the fact that the process to get a developer account anonymously is much more difficult than for Android and you get what is manifesting in the actual malware ecosystem.
That being malware targeting Android over iOS. This is an exact replica of that which occurred between Windows and OS X. Only now has Mac OS X seen increased instances of malware due to the improvements in security in Windows.
It's because Windows is much more easily exploited.
Smartphone/Tablet OSs only represent a small fraction of the total computing device marketshare of which Windows XP still has almost 50%.
The marketshare of iOS is nowhere near that of Windows XP let alone all versions of Windows, which all represent much easier targets than iOS.
But why would a cyber-criminal bother going through all that extra effort when easier targets exist including easier targets in the mobile marketplace, such as Android.
See my replies to bydandie earlier in this post for more details.
Every update from Apple includes a detailed set of release notes that are presented when the update is downloaded and is accessible via the Apple support website.
http://support.apple.com/kb/HT1222
I can't seem to find Google's support page that provides access to the content of the security patches released for Android.
Something like that or a class-action lawsuit is bound to happen. Miller could get in really nasty legal trouble with his stunt, and that would be deserved, considering the level of douchebaggery he displayed.
Who ever is right or wrong, the field will decide.
And Apple is getting really bad press on this one here in Switzerland.
Like this one, the largest Commuter Newspaper around here:
http://www.20min.ch/digital/dossier/apple/story/29652503
Google Translate to English: http://tinyurl.com/cvyg7sy (http://preview.tinyurl.com/cvyg7sy)
I'm curious what trend the press reports from major news papers around the world are on the subject.
And Apple is getting really bad press on this one here in Switzerland.
Like this one, the largest Commuter Newspaper around here:
http://www.20min.ch/digital/dossier/apple/story/29652503
Google Translate to English: http://tinyurl.com/cvyg7sy (http://preview.tinyurl.com/cvyg7sy)
I'm curious what trend the press reports from major news papers around the world are on the subject.
I have to agree with that .. I don't get why he didn't just write a dull app noone would install anyways. Then again .. he is a smart guy and knew what would happen .. so he probably made sure that the app didn't "accidentially" submit data.
Has anyone actually installed that app .. could maybe take a look at the traffic it generates?
Well .. we'll know more in about a week from now.
T.
You're missing a big point here in the cybercriminal economy, quality is as interesting as quantity. Targetted attacks have been in evidence since 2005, it was only in 2009 that they were sexed up with the name of spear phishing. If I can submit an app and with a payload, that means that I can send an email to someone who will download it from within their own appstore on the iOS device.
There appears to an inordinate focus on privilege escalation, the information gathered from a device can be used for extortion, IP theft or simple corporate espionage. The Chinese FIS have been doing this for years, so why do you assume that the range of jailbroken iOS devices won't have been scrutinised to see what vulnerabilities exist?
We do, however appear to be in agreement that iOS is a target, albeit a small one; a small threat that requires no more than diligence to counter until we obtain evidence otherwise.
From Google Cache:
http://i.imgur.com/URHx6.png
Either he updated the app to remove the juicy bits, or Apple approved the app again, even after he notified them of the bug.
Interesting times.
http://i.imgur.com/URHx6.png
Either he updated the app to remove the juicy bits, or Apple approved the app again, even after he notified them of the bug.
Interesting times.
So he is a security researcher. But he was not hired by Apple to try to break in and find vulnerabilities. It is like if somebody stole money from a bank and later claimed that he wanted to help them to find security holes. He can tell them what he found, but not exploit it to make a point.
I am glad that Apple cares about malicious code in apps and "removes" their developers.
I'm not sure what you're trying to say, but based on what has been reported, the nastiest thing the bug allows is access to contacts list (which is indeed bad, but not quite a disaster). If the bug allowed to read in your mailbox or steal your passwords, that would be a different story; but it doesn't appear to be the case here.
I'm no expert, but it looks like the sandboxing of iOS apps, as well as the limited multitasking abilities of iOS are making the 'security hole' basically useless for seriously nefarious endeavors.
From Google Cache:
http://i.imgur.com/URHx6.png
Either he updated the app to remove the juicy bits, or Apple approved the app again, even after he notified them of the bug.
Interesting times.
He notified of the bug but didn't tell Apple he planted the hack inside the app he submitted/updated. Nothing to see here.
This is FUD and unbelievably huge hyperbole.
The bug, to make it into a real-life threat requires someone with criminal intentions to sign-up for a developer account, providing comprehensive identity information, including a tax-registration identifier, pay $99 with a credit card and link that card to their developer-account. Of course, that is not impossible to forge by some big organized-crime ring, but the likelihood of that happening (with high risk of being tracked down anyway) is pretty low. And all that, notwithstanding the caveats I mention above about what level of 'nasty' can the vulnerability effectively allow.
What I'm saying is that cybercriminals would easily see the contact list of a high profile person or high value person as being valuable. Criminal and coporate organisations alike would pay for that information. It happens, and access to photographs is the same value.
As I've continually said though, whilst the potential for this vulnerability could be there we have no evidence either way that it's prevalent. One thing is sure though, if CM found it, then others will have done too. Does this mean that the sky's falling on our heads? Nope, but it does show that a certain amount of diligence is required even in the iOS world.
Imagine the compromising photographs that could be available on high profile iPhones from guys who just might want a stock tracking app, and you can see why this type of exploit could be extremely high value.
Any politicians on that list? CEOs of major corporations? High profile celebs?
Those crying no potential for financial harm here, or asking us to take Charlie's word on not stealing any data need to rethink your position.
Any politicians on that list? CEOs of major corporations? High profile celebs?
Those crying no potential for financial harm here, or asking us to take Charlie's word on not stealing any data need to rethink your position.
Charlie has too much to lose by stealing information. No big company employs a black hat.
Pretty thin reason, and I doubt the cyber crime division of the FBI will care...
The cybercrime division of the FBI will be the exact same as the PCeU over here; they like to seem busy when they have things handed to them on a plate, but aren't aware of everything else that happens.
Last edited: