A software flaw in Apple Inc’s iPhones and iPads may allow hackers to build apps that secretly install programs to steal data, send text messages or destroy information, according to an expert on Apple device security.
Charlie Miller, a researcher with Accuvant Labs who identified the problem, built a prototype malicious program to test the flaw. He said Apple’s App Store failed to identify the malicious program, which made it past the security vetting process.
There is as yet no evidence that hackers have exploited the vulnerability in Apple’s iOS software. But Miller said his test demonstrated that there could be real malware in the App Store.
“Until now you could just download everything from the App Store and not worry about it being malicious. Now you have no idea what an app might do,” Miller said.
Miller said he proved his theory by building a stock-market monitoring tool, InstaStock, that was programed to connect to his server once downloaded, and to then download whatever program he wants.
(To see a YouTube video demonstration of the technique, go to http://www.youtube.com/watch?v=ynTtuwQYNmk)
Apple did not respond to requests for comment.
Miller, who in 2009 identified a bug in the iPhone text-messaging system that allowed attackers to gain remote control over the devices, said that he had contacted the company about the vulnerability.
“They are in the process of fixing it,” he said.
Miller is scheduled to present his detailed research at the SyScan ’11 security conference in Taiwan next week