Apple bans hacker who reveals App Store exploit code

8 Nov 2011

A programmer who showed how it was possible to slip malware onto iOS devices via apps submitted to the ultra-secure Apple App Store has been removed from the iOS Developer Program.

At the SysCan conference in Taiwan, programmer Charlie Miller was able to demonstrate how it was possible to slip an app containing malware into the Apple App Store.

Using his method, Miller was able to put an app into the store that was capable of phoning home to a remote computer that was then able to download unapproved commands onto the device and execute them at will.

These include the ability to steal users’ photos, read contacts and do other things to control the phone remotely.

Miller’s thesis was that with the new bug users can no longer be certain that apps they download from the store will behave nicely.

He demonstrated the new capability by getting his InstaStock app accepted onto the iTunes App Store in September as a seemingly innocent enough app that tracked stock prices in real time.

However, as demonstrated yesterday, the app contained secret code that bypassed protections built into iOS devices by Apple’s official cryptographic seal.

InstaStock had capabilities the Apple App Store wouldn’t have allowed without permission, such as the ability to remotely download pictures and contacts stored on an iPhone or an iPad.

He was also able to demonstrate how he could remotely control iPhones with InstaStock installed, such as play ringtones and make the smartphone vibrate.

Within hours, Miller, who works at security firm Accuvant, was informed by Apple that he was being terminated from the iOS Developer Program for violating his licence, which contained a clause in which he agreed he wouldn’t hide features, content or functionality in apps submitted to the store.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years