Apple has always been pretty proud of the way its iPhone handles security, and for good reason. While Android users have had countless apps stealing data, mugging old ladies and generally being bad news, Apple’s App Store review process has kept the baddies out of iOS.
That is, until now.
Forbes reports that Security researcher Charlie Miller, formerly of the NSA, has released a video showing one of Apple’s iPhones merrily executing unsigned code or in English, he made an iPhone do things that Apple never authorized.
Miller made a simple stock checker app that he got added to the App Store via Apple’s usual review process, and on first blush, it’s just your average iOS app. Running the app normally doesn’t give the game away, but when Miller activates something on a server the app accesses, he gains access to the iPhone remotely, and is able to launch apps, make the iPhone vibrate and more. The ‘more’ includes being able to browse the iPhone’s file system and even download the contents of its Address Book – a security flaw the likes of which nightmares are made of.
Apple has since then removed the app from the App Store, and has also terminated Miller’s iOS Dev Center license as a result of this research.
What these developments mean is that a malicious user could, in theory at least, get an app through Apple’s review process and then systematically steal great amounts of data from countless numbers of people worldwide.
Apple is already hard at work on iOS 5.0.1, with two beta releases already in the hands of testers. Apple is hoping to put the current battery issues surrounding iOS 5 to bed, but it seems they may have bigger fish to fry now. Security always trumps battery life, and we’d rather Apple’s boffins work on securing our data than making our iPhones last a couple extra hours!
Charlie Miller has released an interesting video showing off just what he managed to achieve, and it makes for scary watching if you’re the kind of person that worries about security. With out iPhones holding more and more of our digital lives, Apple can ill afford a security scare at a time when the company is already coming to terms with the loss of its co-founder Steve Jobs, and a brewing ‘batterygate’ situation.