Charlie Miller, a longtime Mac hacker, has earned himself a bit of notoriety this week by revealing a security hole in iOS and losing his Apple Developer Program license in the process. He managed to identify an exception introduced from iOS 4.3 onwards that allows the browser to run unsigned code in memory, which he then expanded to include other apps, thereby skipping the code-signing check that is fundamental to iOS security. The result, as demonstrated in the video below, is that seemingly benign apps can make use of that exception to download and run unchecked and unauthorized code through the system. Charlie demonstrates the problem using his Instastock app, which in itself contains no malicious code and was therefore approved for publication on the App Store. Using it, he manages to remotely initiate YouTube video playback on his iPhone, the handset's vibration function, and even a download of all his contacts to the computer sending out the code.
Needless to say, this is a pretty major vulnerability in the typically ironclad App Store defenses, and Charlie's decided to keep the particulars of the flaw under wraps until the SyScan conference in Taipei in order to give Apple time to patch the problem. The first response from Cupertino, however, has been to yank Charlie's app from the App Store — understandable, since it is a form of malware — and his name from its Developer Program. The latter move is likely motivated by the fact Charlie opted to publish his findings in app form (and thereby clearly breaking Apple's rules for developers), but it still strikes us as draconian when the man's trying to alert Apple to the problem instead of exploiting it for his own gain.
Having witnessed his ouster from Apple's dev program, Brandon Watson from Microsoft's developer relations team has been quick to reach out to Charlie Miller with an offer of a free Windows Phone developer account. We doubt Charlie will be so quick to jump ship and Microsoft's reaction is clearly a play for good publicity as much as anything else, but this still illustrates Redmond's greater willingness to engage with developers.
The main thing to take away from all of this is that iOS apps aren't as secure as we once thought them, though the fix should be arriving pretty soon considering the SyScan conference kicks off on the 17th of this month. Check out the links below for more on this story, including Apple's letter informing Charlie of his rule infractions.