Esato Forums - Information : Esato News Articles : Evil app passed Apple App Store security control

Index Menu

> New Topic
> Reply
< Esato Forum Index > Information > Esato News Articles > Evil app passed Apple App Store security control Bookmark topic

Page12 3 >

laffen Posts: > 500

Even the most strict app store seems to have security issues. A hacker has managed to pass the Apple App Store censorship with an Trojan app
Esato News

TrojanappinAppleAppStore

You might have thought that the Apple App Store was a safe place to buy your apps because of the tight control enforced by Apple? It might not have been so safe after all. A hacker has found a way to pass the Apple control with his evil apps. Hacker Charlie Miller made a simple stock ticker app and uploaded it to the Apple App Store. It passed the security guards without any trouble and as mr Miller later proved, this app can be remote controlled by an attacker which has complete control of the iPhone. He can download anything from the phone such as the address book and captured photos.This incident is now out in the open because the hacker Charlie Miller himself has told the world about it. We can only speculate if someone else with real evil purposes has done something similar before. Apple would not for sure not say anything about that. It further proves that you should only download and install apps from trustworthy sources and this applies for all app platforms. Strangely enough, Apple has removed the app from the App Store and terminated mr Millers developer account.source
--
Posted: 2011-11-08 14:24:37
Edit : Quote

anonymuser Posts: > 500

The real story here is not so much the app itself (which was only a "proof of concept") but the apparent bug in iOS which allowed it to run the way it did - that shouldn't have been possible even with the AppStore approval, but Miller was exploiting a bug which allowed the app much deeper access than the OS would normally allow any third party app to run external code. Once Apple patch that, it won't matter how many similar apps make it into the store.

Of course Android apps have been actively exploiting similar unpatched weaknesses in that OS for a long time, and nobody polices those at all.

[ This Message was edited by: Boinng on 2011-11-08 14:07 ]

--
Posted: 2011-11-08 15:04:58
Edit : Quote

laffen Posts: > 500

The difference between Android Market and the Apple App Store is that this was totally unexpected for those owning an iOS product. Android owners are hopefully treating the Android Market the same way they do on the Internet. Do not download executable from unknown/unreliable sources.
--
Posted: 2011-11-08 17:44:12
Edit : Quote

Bonovox Posts: > 500

It seems that Apple has more strict security than Android
--
Posted: 2011-11-08 18:34:27
Edit : Quote

etaab Posts: > 500

I dont like how Esato reports this guy as a hacker though, he was part of Apples circle of developers.

He simply made an app to show a weakness in Apples software but went about it the wrong way, he should have contacted Apple first with this POC app and not submitted it for approval.

He did deserve to get the boot from Apple though for going about it the wrong way as someone could potentially have used the app to perform something sinister, if they'd known what it could do. I think Apple themselves should have been a little more forgiving though and possibly only kicked him out temporarily.

It does show though that Steve Jobs mighty OS isnt as user friendly as he said it would be. Clearly being a closed OS doesnt mean a better user experience if the users details are being hacked.

[ This Message was edited by: etaab on 2011-11-08 20:57 ]

--
Posted: 2011-11-08 21:54:07
Edit : Quote

laffen Posts: > 500

Hacker - In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge. A white hat hacker breaks security for non-malicious reasons, for instance testing their own security system

--
Posted: 2011-11-09 00:23:47
Edit : Quote

etaab Posts: > 500

If it were me that did it, i'd still be labelled differently though as the word hacker makes people think negatively of you. I think he was more of a QA tester.
--
Posted: 2011-11-09 23:53:15
Edit : Quote

anonymuser Posts: > 500

He'd probably call himself a security specialist or consultant of some kind - it's true that hacker has a pretty negative ring these days. The guy in question is quite well-respected and has done a pretty clever job here by all accounts - he also reported the issue straight to Apple for them to fix, although it has ended up costing him his dev account, since by definition he broke the rules. That seems a shame to be fair - Apple are better off with people like Miller working with them, rather than out on the fringes.
--
Posted: 2011-11-10 00:13:56
Edit : Quote

anonymuser Posts: > 500

Fixed! Back to the world of complete and utter security we go... http://www.theregister.co.uk/[....]/10/apple_iphone_security_bug/
--
Posted: 2011-11-10 21:48:59
Edit : Quote

laffen Posts: > 500

Until next time
--
Posted: 2011-11-10 22:29:49
Edit : Quote

Page12 3 >

New Topic Reply