Charlie Miller releases iPhone exploit

Security researcher Charlie Miller has released a proof-of-concept app for Apple iOS which is able to pull unsigned and untrusted code from a remote source and run it.

The reason this is troubling is: All apps that get published to the Apple store must be verified by Apple to not contain any malicious code. This is done through a process called Code signing. In the exploit Miller unveiled, an attacker would be able to pass a rogue app through the Apple store, then use it to contact a remote server and download and execute any arbitrary code from the server. A flaw such as this could result in a user’s private information being stolen by an Apple-approved app. This would decrease overall consumer confidence in Apple and might affect their stock price.

After the proof-of-concept was revealed to be an exploit, Apple responded by revoking Miller’s developer status. This is a controversial move, as Apple had three weeks after Miller disclosed the vulnerability to them to fix it. However, Miller’s app, Instastock, was in clear violation of the Terms of Service.

View the exploit in action here.


3 thoughts on “Charlie Miller releases iPhone exploit

  1. Pingback: Malicious app penetrates iTunes | The future belongs to those who prepare for it today

    • The program was available to download on the App Store, but the intent wasn’t malicious, just to show that it could be done.

      Charlie Miller gives a demonstration of how his unmodified iPhone could be exploited, in the video.

Comments are closed.