Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Charlie Miller Circumvents Code Signing For iOS Apps

Soulskill posted more than 2 years ago | from the you-can-trust-us dept.

Bug 172

Sparrowvsrevolution writes "At the SysCan conference in Taiwan next week, Charlie Miller plans to present a method that exploits a flaw in Apple's restrictions on code signing on iOS devices, the security measure that allows only Apple-approved commands to run in an iPhone's or iPad's memory. Using his method, an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user's photos, reading contacts, making the phone vibrate or play sounds, or otherwise using iOS app functions for malicious ends. Miller created a proof-of-concept app called Instastock that appears to show stock tickers but actually runs commands from his server, and even got it approved by Apple's App Store." Update: 11/08 02:54 GMT by U L : Not unexpectedly, Apple revoked Miller's developer license.

cancel ×

172 comments

I call this a feature (0)

Anonymous Coward | more than 2 years ago | (#37978036)

It's a feature, not a bug. But who was the intended beneficiary?

Re:I call this a feature (1)

sortadan (786274) | more than 2 years ago | (#37978752)

Yeah, this isn't a security issue, it's just something that is possible. It also violates the developer agreement. All this 'news' is doing is pushing Apple to be even more restrictive with their already barbwire enclosed garden...

App redacted... (1)

inject_hotmail.com (843637) | more than 2 years ago | (#37978058)

App redacted in 3...2...1.

Re:App redacted... (0)

Anonymous Coward | more than 2 years ago | (#37978106)

...and fix released in 5...4...3...2...1.

Re:App redacted... (1)

MichaelKristopeit501 (2018074) | more than 2 years ago | (#37978232)

uh... and fix not approved, and furthermore, the general approval process updated to look for input from external sources used for execution, and auto reject.... similar to early javascript engines and their cross site scripting vulnerabilities were updated.

Re:App redacted... (2)

omnichad (1198475) | more than 2 years ago | (#37978280)

Somebody hacked one of Michael Kristopeit's accounts and used it to post a useful comment! The world is at an end.
 
The external sources are probably web pages. The web page can be javascript-free right up until the app is approved, so I don't see how this can prevent it.

Re:App redacted... (1)

MichaelKristopeit423 (2018892) | more than 2 years ago | (#37978386)

the web page itself is an external source, regardless of the content.

you're an idiot.

Re:App redacted... (1)

X0563511 (793323) | more than 2 years ago | (#37978612)

So, and if your application doesn't do anything with the content unless some magical condition is met? It would just be reading an HTTP GET. Hardly something for Apple to look closely at.

So, the application checks stocks, including the author's own custom stock thingy on his website. Looks pretty innocent.

But if, for example, an HTML comment is on the page with a CRC of 42, it will look for the second comment, which contains the new code. It acts on this.

this initial comment is only there about an hour, about a week after the app has been on sale.

You now have "control" over a whole smegload of phones, and not much of an indication of what you did.

Only deep analysis of the application's code would reveal this kind of thing.

If I can think of this, I'm sure a real cracker could, too.

Re:App redacted... (1)

MichaelKristopeit423 (2018892) | more than 2 years ago | (#37978744)

once a variable contains any content that was EVER set to a value that was in any way sourced externally, that variable is set to non-executable.

it doesn't look innocent at all for an application that is checking for stock values to require execution of the value string.

deep analysis of the application's code is already required for compilation... adding an "executable" flag is trivial... but considering you're sure a real cracker, i'm sure you already thought of that.

you're an idiot.

Re:App redacted... (1)

MichaelKristopeitDad (2488356) | more than 2 years ago | (#37978900)

Come son, come. Please do realize that code can look innocent while doing malicious things. You know of what I speak.

For example: http://underhanded.xcott.com/ [xcott.com]

There. Examples, contests, code snippets and real life stuff. Go and learn some. I'll be so proud of you.

Lots of kisses.

Dad.

Re:App redacted... (1)

MichaelKristopeit506 (2495010) | more than 2 years ago | (#37979002)

i realize how trivial it is to not allow code to run that has been tainted with externally sourced strings.

you spend your days in a fantasy world you've created relative to me.

you claim to represent people other than yourself. you are an identity thief. you are a felon.

i am michael kristopeit. i live at 4513 brittany ct. eau claire, wi. 54701. i live there in the house i paid cash for with my wife and children and dogs and numerous firearms.

present yourself to me, admit what you've done; then i'll bring upon you the ultimate punishment for your transgressions.

Re:App redacted... (0)

gmhowell (26755) | more than 2 years ago | (#37981248)

i am michael kristopeit. i live at 4513 brittany ct. eau claire, wi. 54701. i live there in the house i paid cash for with my wife and children and dogs and numerous firearms.

Dude, plant a few flowers around your house [google.com] . A splash of color would really liven things up.

Re:App redacted... (1)

MichaelKristopeit355 (1968164) | more than 2 years ago | (#37981358)

considering that picture does not include the flower garden around the mailbox, the blooming bushes around the walkway, or the hanging plants that my wife installed around the porch when we moved in 2 years ago, i'd have to suggest that you, dude, consider using a more reliably updated source for your criticisms.

you're an idiot.

Re:App redacted... (1)

MichaelKristopeitBro (2488396) | more than 2 years ago | (#37978932)

Come now, my beloved brother. Do not fear me, for I am your faithful brother, and lover at times. Only when you tie me up, but still.

Now, insulting people in a forum is not a nice thing to do. Your signal / noise ratio is down to hell again. Dad's going to spank you again on that one!

Love you bro.

Re:App redacted... (1)

MichaelKristopeit506 (2495010) | more than 2 years ago | (#37979218)

you think i fear you? that is very telling.

you're an idiot.

you spend your days in a fantasy world you've created relative to me.

you claim to represent people other than yourself. you are an identity thief. you are a felon.

i am michael kristopeit. i live at 4513 brittany ct. eau claire, wi. 54701. i live there in the house i paid cash for with my wife and children and dogs and numerous firearms.

present yourself to me, admit what you've done; then i'll bring upon you the ultimate punishment for your transgressions.

Re:App redacted... (1)

ArhcAngel (247594) | more than 2 years ago | (#37978648)

-1
You did not use

/. = stagnated

in your post about MichaelKristopeit.

Re:App redacted... (1)

omnichad (1198475) | more than 2 years ago | (#37978764)

Well - if he failed to keep up with his standard crap, then it would be MichaelKristopeit = stagnated.

Re:App redacted... (1)

MichaelKristopeit350 (1968134) | more than 2 years ago | (#37979228)

you're an idiot.

Re:App redacted... (1)

MichaelKristopeit353 (1968162) | more than 2 years ago | (#37979302)

you're an idiot.

Re:App redacted... (1)

MichaelKristopeitDad (2488356) | more than 2 years ago | (#37978840)

I'm so proud of him. My little boy !

Re:App redacted... (1)

MichaelKristopeit351 (1968158) | more than 2 years ago | (#37979244)

you spend your days in a fantasy world you've created relative to me.

you claim to represent people other than yourself. you are an identity thief. you are a felon.

i am michael kristopeit. i live at 4513 brittany ct. eau claire, wi. 54701. i live there in the house i paid cash for with my wife and children and dogs and numerous firearms.

present yourself to me, admit what you've done; then i'll bring upon you the ultimate punishment for your transgressions.

Re:App redacted... (1)

MichaelKristopeitBro (2488396) | more than 2 years ago | (#37978856)

My big brother posted something of value? Maybe I should go cower in his shadow !

Re:App redacted... (1)

MichaelKristopeit352 (1968160) | more than 2 years ago | (#37979268)

you spend your days in a fantasy world you've created relative to me.

you claim to represent people other than yourself. you are an identity thief. you are a felon.

i am michael kristopeit. i live at 4513 brittany ct. eau claire, wi. 54701. i live there in the house i paid cash for with my wife and children and dogs and numerous firearms.

present yourself to me, admit what you've done; then i'll bring upon you the ultimate punishment for your transgressions.

Re:App redacted... (2)

mjwx (966435) | more than 2 years ago | (#37980606)

App redacted in 3...2...1.

But one has to think, if this application was approved, how many other approved applications in the App Store have some form of malicious code or other surreptitious data collection?

It seems the only reason Apple noticed this is because Charlie Miller published it.

This is why Apple's security model is fundamentally flawed. It provides a single point of failure for security. Those of us who work with networks understand that gateway only security doesn't work, so trusting the gateway to get everything and pretending you are secure behind your gateway is foolhardy in the extreme.

Boo apple. (1)

Anonymous Coward | more than 2 years ago | (#37978100)

Yay jailbreak.

Admiral! (1)

Moheeheeko (1682914) | more than 2 years ago | (#37978112)

Enemy lawsuits detected in Sector 3-7!

Re:Admiral! (1)

iluvcapra (782887) | more than 2 years ago | (#37978994)

IT'S A TR.... oh forget it.

Jackson doctor found GUILTY (-1)

Anonymous Coward | more than 2 years ago | (#37978116)

Involuntary Manslaughter. This is large.

Re:Jackson doctor found GUILTY (-1)

Anonymous Coward | more than 2 years ago | (#37978152)

Involuntary Manslaughter. This is large.

Larger than a story about Apple? I don't think so!

Re:Jackson doctor found GUILTY (-1)

Anonymous Coward | more than 2 years ago | (#37978450)

Involuntary Manslaughter. This is large.

Larger than a story about Apple? I don't think so!

Steve Jobs - still dead. More as this story develops!

Not so walled garden... (1)

inject_hotmail.com (843637) | more than 2 years ago | (#37978118)

This isn't really news...I imagine this 'flaw' will be found in every version of iOS until it dies. Not only that, but we should be suspicious of app producers...they say "only install apps from trusted publishers"...yeah...ok...so, no one? If I did that, I'd have only the pre-loaded apps.

Joy...oh joy...oh rapture.

Re:Not so walled garden... (2)

drcheap (1897540) | more than 2 years ago | (#37978240)

...they say "only install apps from trusted publishers"...yeah...ok...so, no one? If I did that, I'd have only the pre-loaded apps.

And I'd have zero.

Re:Not so walled garden... (4, Informative)

sl4shd0rk (755837) | more than 2 years ago | (#37978318)

> This isn't really news

Actually it is. The way these things get fixed are by making people aware of the problem. No software is absolutely bug free. As much as some people would like to stick their fingers in their ears and say "la-la-la not a problem...", there are just as many us who would like to fix the issue. So, yes this is news.

Re:Not so walled garden... (-1, Troll)

afabbro (33948) | more than 2 years ago | (#37979138)

> This isn't really news

Actually it is. The way these things get fixed are by making people aware of the problem. No software is absolutely bug free. As much as some people would like to stick their fingers in their ears and say "la-la-la not a problem...", there are just as many us who would like to fix the issue. So, yes this is news.

No it's not, and you didn't read what he said before you got on your little "what I learned in on security-howto-tutorials.org last week" soapbox.

Re:Not so walled garden... (1)

DJRumpy (1345787) | more than 2 years ago | (#37979504)

Actually it was a flaw introduced last year when Apple relaxed restrictions, apparently to increase browser speed:

From TFA:

Miller became suspicious of a possible flaw in the code signing of Apple’s mobile devices with the release of iOS 4.3 early last year. To increase the speed of the phone’s browser, Miller noticed, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, he realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible. (Apple uses other security restrictions to prevent untrusted websites from using that exception to take control of the phone.)

The researcher soon dug up a bug that allowed him to expand that code-running exception to any application he’d like. “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Miller won’t say just what that bug is until his talk next week in order to give Apple more time to fix the flaw.

Miller’s exploit in some ways resembles another hack created by John Oberheide in Google’s competing Android operating system. Using a program called Rootstrap, he showed how an innocent-looking Android app could download and run malicious code after making its way onto a user’s phone. (He used a fake Twilight-themed application to demonstrate the potential attack.)

Meaning this can be closed just as easily at the loss of whatever speed perks the relaxed rules offered, or potentially just by resolving whatever exploit was found. In any case, it is news, and highly unlikely it would exist in every version of iOS since it appears to be in only 4.3 and higher.

Re:Not so walled garden... (0)

Anonymous Coward | more than 2 years ago | (#37981032)

This isn't really news...I imagine this 'flaw' will be found in every version of iOS until it dies. Not only that, but we should be suspicious of app producers...they say "only install apps from trusted publishers"...yeah...ok...so, no one? If I did that, I'd have only the pre-loaded apps.

You trust Apple?

Code Signing? (0)

Anonymous Coward | more than 2 years ago | (#37978160)

What does this have to do with code signing? Sounds like the entire security model is busted on these devices. I don't care if an application is 'signed' or not -- what I want is a security model that absolutely forbids all permissions unless specifically granted.

This is not rocket science.

Re:Code Signing? (2)

beelsebob (529313) | more than 2 years ago | (#37978478)

Yes it is actually. How do you implement an API that guarantees that you go through that API to get access to something. It doesn't matter if you build your lovely "you don't get permission to anything unless the gatekeeper agrees" system, if you can simply go "we'll I'm ignoring the gatekeeper and jumping through this hole in the wall". That's what a security flaw actually is ;)

Re:Code Signing? (0)

Anonymous Coward | more than 2 years ago | (#37978696)

If you app has not been granted the 'vibrate phone' permission by the user, and the phone allows said App to vibrate the phone: the security model is inherently broken.

All applications should be sandboxed, and EVERY api call out of that sandbox should have permissions checked. 'nuff said.

Re:Code Signing? (1)

Pieroxy (222434) | more than 2 years ago | (#37978988)

The whole point is that there is a security hole in Apple's security model. What you say is that if there is a bug, it implies the model is inherently broken?

Wow, lots of things are broken down here, trust me on that one.

Heaven forbid! (4, Funny)

ackthpt (218170) | more than 2 years ago | (#37978224)

It could also lead to people deveoping unapproved apps and selling them to people on the black market - and thus, with the wall breached, the Apple hegemony fell and there was much rejoicing!
  "Yea!"

Treacherous computing (2)

impaledsunset (1337701) | more than 2 years ago | (#37978548)

That's the definition of trusted computing - it trusts someone else, and not the owner. So that someone else, or anyone who compromises them, gets to control your device before you do.

Re:Treacherous computing (1)

pipedwho (1174327) | more than 2 years ago | (#37979602)

True. But the alternative to that is untrusted computing - ie. any app you install gets more control over the device than you.

The vast majority of users are not even remotely capable of providing a higher level of trust than a competent third party. This is akin to representing yourself in court instead of hiring a lawyer who is an expert in the laws and defence techniques that apply to your case. Step and repeat for each app you install.

Re:Treacherous computing (1)

zoloto (586738) | more than 2 years ago | (#37980064)

with nearly all of the iOS users out there, this is a far better alternative than trusting them.

Not a flaw (1)

aaaaaaargh! (1150173) | more than 2 years ago | (#37978254)

It's not a flaw, it's a feature!

Translation (3, Informative)

Bogtha (906264) | more than 2 years ago | (#37978274)

Most of the article was quite puzzling, as this is nothing new or remarkable. It's really quite simple to have your application execute stuff it downloads.

If I can reverse-engineer the uninformative article a little, I would hazard a guess to say that he's found a way of bypassing the NX bit protection using Safari as an attack vector. This means that he would be able to inject arbitrary ARM code that wasn't present on the device at review time, meaning that he could execute code against APIs that the application wasn't originally using (but which are available for applications to use legitimately).

As an attack, it sounds real enough, however in real-world terms, Apple's review process is leaky enough to avoid getting caught anyway. Their review consists of some trivial automated checks and everything else is handled by a human reviewer who just looks at the application from an end-user's point of view. During the submission process you have to include instructions on how to trigger any Easter eggs in your application because they wouldn't otherwise find them.

Re:Translation (1)

h4rr4r (612664) | more than 2 years ago | (#37978454)

So then why has no one just built an app that is friendly until 10k downloads at which point it does some evil?

To me it seems like something spammers/malware folks would have thought of by now

Re:Translation (1)

icebraining (1313345) | more than 2 years ago | (#37978706)

How do you know there aren't multiple of those already on the Store and simply haven't been detected?

Re:Translation (0)

Anonymous Coward | more than 2 years ago | (#37979454)

Because only Android has malware, the iFags said so so it must be true.

Re:Translation (0)

Anonymous Coward | more than 2 years ago | (#37978502)

Most of the article was quite puzzling, as this is nothing new or remarkable. It's really quite simple to have your application execute stuff it downloads.

How so? I'm not being facetious: execve(), posix_spawn() etc are all blocked for regular applications, as is dlopen(). Or do you mean integrating a dynamic linker in your program, mmap'ing the file and fixing up all relocations yourself?

Re:Translation (1)

snemarch (1086057) | more than 2 years ago | (#37978872)

At the very basic level, it's as simple as stuffing code in a buffer and executing it. Yeah, iOS has had ASLR for a while, but since the the host program is cooperating... :)

Re:Translation (2)

Goaway (82658) | more than 2 years ago | (#37979624)

All memory allocated by user apps is NX. Your code is not going to execute no matter how many buffers you stuff it in.

Re:Translation (1)

Elbart (1233584) | more than 2 years ago | (#37978540)

At least the app had no bare tits. The security flaws? Meh.

reading comprehension (1)

goombah99 (560566) | more than 2 years ago | (#37979534)

next time RTFA. it's not at all like what you said.

Re:Translation (1)

jbolden (176878) | more than 2 years ago | (#37979594)

He doesn't have to do that. Just have an interpreter that is built in with the c functions being rather full featured but mostly not used.

Re:Translation (0)

Anonymous Coward | more than 2 years ago | (#37979900)

> If I can reverse-engineer the uninformative article a little, I would hazard a guess to say that he's found a way of bypassing the NX bit protection using Safari as an attack vector.

No, Safari isn't used. But Safari has an exception in the system so it can do a few things other apps can't, like run JIT-compiled code. And what he does is use some vulnerability in the system so that his app, too, either falls under or is able to abuse that exception.

Wrong! (0)

Anonymous Coward | more than 2 years ago | (#37978292)

You're programming it wrong!

Re:Wrong! (1)

Elbart (1233584) | more than 2 years ago | (#37978520)

Obviously.

Native code (4, Interesting)

cbhacking (979169) | more than 2 years ago | (#37978312)

So long as iOS apps are developed using a language that allows pointer access, including function pointers, people are going to find and exploit bugs like this. It's actually a really interesting parallel to homebrew development on Windows Phone (yes, I have one, in addition to a few Linux devices - no iOS ones though): you can do native code on WP7, but you have to use COM to access it. Microsoft prohibits ISVs from using the COM import API from C#/VB in marketplace apps, so they can very easily block this kind of thing by just checking for references to a few specific APIs (they also block the use of C# "unsafe" pointers).

Now, I'm not exactly advocating that Apple needs to re-design their entire applicaiton model. However, the fact remains that the way they do it, it's almost impossible to really verify that any given app isn't doing something like this, short of code-reviewing the source of every submission and rejecting any that are too hard to understand (completely impractical). It means they *are* vulnerable to malware, though - even from the "trustworthy" marketplace.

Re:Native code (2)

h4rr4r (612664) | more than 2 years ago | (#37978496)

It does not matter what they do, without code reading apps can always do evil.

I could submit a time zone calculator app that waits until 06/06/2012 and instead of opening properly shows goatse. With the limited testing apple does how would they ever know?

Re:Native code (1)

h4rr4r (612664) | more than 2 years ago | (#37978566)

I meant code reviews. They would also have to reject any app more complicated than the most basic of software.

Re:Native code (1)

Beryllium Sphere(tm) (193358) | more than 2 years ago | (#37979294)

"Almost impossible"?

It's a more complicated problem than determining whether the program will halt.

Re:Native code (1)

jbolden (176878) | more than 2 years ago | (#37979616)

Well he got through one wall with that method. There are still more walls.

Ok, fanbois tell me all about the wall garden (1)

h4rr4r (612664) | more than 2 years ago | (#37978348)

It was only a matter of time. Since they only do blackbox testing, it should not have taken this long for an app to get approved that waits to do evil until after it is in the wild.

Re:Ok, fanbois tell me all about the wall garden (1)

snemarch (1086057) | more than 2 years ago | (#37978446)

...who says there aren't already apps out there doing this? :)

Re:Ok, fanbois tell me all about the wall garden (0)

Anonymous Coward | more than 2 years ago | (#37978998)

It was only a matter of time. Since they only do blackbox testing, it should not have taken this long for an app to get approved that waits to do evil until after it is in the wild.

The article says that the vulnerability was introduced in iOS 4.3, which was released approximately 8 months ago. Furthermore, the article states that this guy speculated about the vulnerability and took time trying to find if it actually existed. Once found, it takes time to find a way to exploit in the wild. Given the credentials this guys has - according to the article - it is hard to believe that a lot of hackers would find this a LOT sooner than him. It looks like his app was approved for the app store about two weeks ago.

So... I would bet that the window of opportunity has only been around for two or three months and probably even less.

Charlie Miller? (1)

Hatta (162192) | more than 2 years ago | (#37978380)

I bet he's recording some sick jams [archive.org] with his unsigned iOS apps.

So (0)

Dunbal (464142) | more than 2 years ago | (#37978614)

When it happens to a Windows device it's called a "security vulnerability" and when it happens to an iOS device it's a "feature"?

Re:So (0)

MobileTatsu-NJG (946591) | more than 2 years ago | (#37978760)

And when it happens to OSS it's an example of how it's inherently more secure.

Re:So (0)

Anonymous Coward | more than 2 years ago | (#37980860)

Surely you mean "MS's only product without holes is MS Colander", "Plug your ears more, fanboy, Reality Distortion Field will shield you", and "Did reading that source help you, FOSS hippie?"

last line is a gem (0)

Sebastopol (189276) | more than 2 years ago | (#37978730)

FTA:

  ”Android has been like the Wild West,” says Miller. “And this bug basically reduces the security of iOS to that of Android.”

Lolz.

Re:last line is a gem (1)

VJmes (2449518) | more than 2 years ago | (#37979492)

Ignoring ASLR, Sandboxing & the security that naturally comes from a more closed-off (walled) solution.

Re:last line is a gem (1)

cbhacking (979169) | more than 2 years ago | (#37979680)

Did or did you not notice that the whole point of what Charlie Miller did was that the sandbox was breached, despite ASLR, and he was able to do it from an app allowed into the walled "solution"?

Please explain how an app store that is unable to detect malware but *claims* to be inherently secure is actually more secure? If anything, I see it as the opposite - it will delude people (like yourself) into thinking it's safe, when it's actually not. Android, by comparison, is acknowledged to have malware - meaning people need to be more cautious about the apps they install.

Re:last line is a gem (0)

BasilBrush (643681) | more than 2 years ago | (#37981000)

Did or did you not notice that the whole point of what Charlie Miller did was that the sandbox was breached

I noticed from the examples that the sandbox was NOT breached. The things described - accessing photos, contacts etc are system services that any ordinary sandboxed app from the app store can already access. What was not claimed was anything that broke the sandbox, such as reading or writing from/to one of the other apps.

Android, by comparison, is acknowledged to have malware

Unlike the iOS App Store. And you're somehow trying to paint that as an advantage/more secure. Which is the dumbest argument I've read all day.

Kind of like trying to claim classic versions of Windows to be the most secure OSs, because at least they are acknowledged to have thousands of viruses.

Already removed (1)

joh (27088) | more than 2 years ago | (#37978774)

The app in question has already been pulled from the App Store. And I'm quite sure the flaw that allows executing code via some hole in Safari will be fixed very soon. iOS 5 supports delta updates now, so Apple can (and will) come with small updates much more often than in the past.

I'm still torn about security in such appliances. Ideally the user should fully own the device as well as all code running on it, but in practice, users being what they are, having a central control instance may very well be the lesser evil.

With digital devices filling every part of my life now the very thought of being personally responsible for every bit of code running on every one of them makes me shudder. Life is just too short for that.

Do I trust Apple? Not very much. Do I trust Apple more than myself when I haven't got the time to spend more than a few minutes a day to care for each device (and its software) that I own and use? Probably, yes. Sad but true.

Re:Already removed (2)

nwf (25607) | more than 2 years ago | (#37978950)

The app in question has already been pulled from the App Store. And I'm quite sure the flaw that allows executing code via some hole in Safari will be fixed very soon. iOS 5 supports delta updates now, so Apple can (and will) come with small updates much more often than in the past.

Unless he's figured out how to sign apps such that the OS thinks they are from Apple, and aren't. Then Apple would have to revamp their code signing system.

Re:Already removed (1)

Goaway (82658) | more than 2 years ago | (#37979628)

He hasn't.

Re:Already removed (1)

jbolden (176878) | more than 2 years ago | (#37979646)

Well that's breaking encryption in general. That takes down much more than just the app store.

Re:Already removed (1)

nwf (25607) | more than 2 years ago | (#37979942)

Well that's breaking encryption in general. That takes down much more than just the app store.

Assuming Apple's algorithms are implemented properly, which is never a guarantee. Look at Sony.

Re:Already removed (1)

jbolden (176878) | more than 2 years ago | (#37980320)

The provisioning profile stuff is an open source part of Core Data. I haven't personally checked it, but given that the encryption has been in the open for 5 years....

Misunderstanding as to approval? (1)

mveloso (325617) | more than 2 years ago | (#37978936)

The summary says "Apple-approved commands to run in an iPhone's or iPad's memory."

I'm not sure if that's the normal slashdot misunderstanding/hyperbole, if it's another reporter ignorance/flamebait thing, or if that's actually in what cmiller posted.

Apps are Apple-approved. Apps can't use Apple's non-public frameworks. Saying you can't run non-Apple-approved commands is completely inaccurate.

Re:Misunderstanding as to approval? (1)

Elbart (1233584) | more than 2 years ago | (#37979040)

You might want to, you know, RTFA.

Still safer than completely unvetted apps (1)

gstrickler (920733) | more than 2 years ago | (#37979026)

It's not more secure (Charlie Miller keeps demonstrating that), but for the typical user (who doesn't know enough about security to judge an app), having a vetting/approval process such Apple's is still offers a safer environment than running completely unvetted apps (such as on the Android stores).

Re:Still safer than completely unvetted apps (3, Insightful)

cbhacking (979169) | more than 2 years ago | (#37979170)

Except, it gives a false sense of security. With Android (or PC) apps, I know that there's a risk of malware, so I'm cautious. With iOS - well, I don't have one, but I imagine there are lot of people who think "it *can't* have malware, Apple checks everything!" and therefore completley trust anything in the app store.

The purpose of work like this is to demonstrate that Apple has misled those people; you can't simply trust everything. The only thing worse than an obviously untrustworthy app source is an untrustworthy app source that *appears* to be trustworthy.

Re:Still safer than completely unvetted apps (1)

gstrickler (920733) | more than 2 years ago | (#37979258)

Which makes absolutely no difference to the 95+% users who don't know enough about security to make such an evaluation. No matter how many times users get burned, if they don't understand security, most of them will make the same mistake next time simply because they don't know how to evaluate an app for security. And for those who do know about security, it doesn't stop them from exercising caution. Therefore, the "false sense of security" actually makes no difference.

Re:Still safer than completely unvetted apps (0)

Anonymous Coward | more than 2 years ago | (#37979458)

It boils down to security theater versus real security:

On Android with a rooted device, even if an app is malicious, it won't be getting contact info, GPS location, mailbox stuff, files from the SD card without being explicitly allowed to do so.

The iPhone hands all that out. If your app is allowed to run, you can happily slurp up contacts, photos, mailbox contents, user location, and the user can't do a single thing about it except uninstall the app. Install iFirewall on a JB-ed iPhone. Then run apps as normal. You will be surprised at how many adware, click counters, behavioral tracking counters, and other crap sites an app connects do before actually doing anything useful.

I just hope the remnants of the Dev Team find a hardware exploit similar to SHAtter in the new hardware... and this time don't give it to people who would hand it to Apple or otherwise burn it for their own personal ego. At least this would give future iOS versions the ability to be jailbroken even if the JB is tethered.

Re:Still safer than completely unvetted apps (0)

Anonymous Coward | more than 2 years ago | (#37979878)

Except, it gives a false sense of security. With Android (or PC) apps, I know that there's a risk of malware, so I'm cautious. With iOS - well, I don't have one, but I imagine there are lot of people who think "it *can't* have malware, Apple checks everything!" and therefore completley trust anything in the app store.

Great, but you're clearly not an Average User. I've talked to several who own a Windows Phone, Android Device, or iOS, and the basic response is the same: It can't get malware because it's a phone. Even when I explain it can, the response is always "Well (Apple|Google|Microsoft|T-Mobile|AT&T|HTC) will prevent it from happening". Average users don't understand the risk associated with computers, and we've already crossed the rubicon, we can't train them. We, as an industry, have no choice but to make these things as secure as users think they are.

Re:Still safer than completely unvetted apps (1)

BasilBrush (643681) | more than 2 years ago | (#37981102)

Except, it gives a false sense of security. With Android (or PC) apps, I know that there's a risk of malware, so I'm cautious.

And why do you imagine your caution is better than someone who's job is vetting apps? For example, what automated tools do you have for looking for suspicious API calls? Do you, like the app store reviewers, have test devices that don't contain your actual live data? Do you, like the app store, find out that the developer of the app is real enough to have a tax code?

Or is the reality of your "caution" that you're just going to guess.

Re:Still safer than completely unvetted apps (1)

R3d M3rcury (871886) | more than 2 years ago | (#37980358)

Well, that depends.

Take the TSA as an analogy. One of their many jobs is to detect things like knives, guns, explosives and other nasty things being brought aboard airplanes. And they are pretty successful when people have forgotten that they have one of the forbidden items in their luggage. But if you make a bit of an effort to hide these things, they seem to have a poor success rate for detecting them.

Generally, most people have a pretty low opinion of the TSA's "Security Theater." It doesn't really make you any safer, but it looks and sounds impressive.

The App Store is basically the same thing. It probably does an decent job of keeping the blatantly obvious threats out (eg, some Apple employee says, "Why does your game call Address Book APIs?" rather than expecting the user installing the game to do it).

Re:Still safer than completely unvetted apps (1)

gstrickler (920733) | more than 2 years ago | (#37980616)

Flawed analogy. Forget that the TSA is searching for weapons when they need to be watching for suspicious behavior. Forget that they're irradiating passengers and groping others for their illusion of security.

The fundamental problem with the analogy is that air passengers know to watch for weapons, suspicious behavior, etc. In fact, passengers are the only ones who have actually caught any attempts at terrorism in the last 10 years, not the TSA. Passengers can still do something to detect and stop an attacker on a plane. Software users don't know what to look for, what is suspicious behavior, where to look for it, or how to stop it if they could detect it. And given the nature of software, that all of the "work" is hidden from the user, there is very little a user CAN look for, and if if the do detect something, it's probably too late.

They're two totally different environments, requiring two different approaches to safety.

Re:Still safer than completely unvetted apps (0)

Anonymous Coward | more than 2 years ago | (#37981064)

What's the ratio of passengers who can stop an armed terrorist and what's the ratio of phone users who can notice and report a misbehaving app?

The analogy still holds, as it describes the security checkpoint, not the whole system.

Re:Still safer than completely unvetted apps (1)

R3d M3rcury (871886) | more than 2 years ago | (#37981450)

I'm not sure I see the flaw.

TSA's job is to prevent passengers from bringing weapons onto the airplane. They have some successes [nypost.com] and notable failures [judicialwatch.org] in doing this. Apple's job is to prevent malicious code from running on our iPhones and iPads and I'm sure they have some successes and failures.

What you're saying is that it's okay that the TSA might fail every now and again because the passengers will spot the malicious person and prevent him from performing his dastardly task. Of course, passengers [cnn.com] tend [huffingtonpost.com] to [msn.com] generate [freerepublic.com] more [breitbart.com] false positives [tourexpi.com] because they are not trained in security.

But if you want to go with this analogy, Android would be a better secure environment than iOS. Android has various tools that smart people can use to find malicious software So, to carry this into your analogy, using Android is like flying on airplane with a group of passengers who understand security and can spot the evildoer and warn others. iOS is like flying on an airplane where everybody says, "Oh, they made it through the TSA checkpoint. They must be okay."

Actually less safe then completely unvetted apps (1)

mjwx (966435) | more than 2 years ago | (#37980662)

It's not more secure (Charlie Miller keeps demonstrating that), but for the typical user (who doesn't know enough about security to judge an app), having a vetting/approval process such Apple's is still offers a safer environment than running completely unvetted apps (such as on the Android stores).

Actually it's less safe.

Users in the "walled garden" have a false sense of security, the security is breached and the users still unquestioningly trust everything from a now untrustworthy source.

Apple has a vetting process that doesn't work. How is that different to an unvetted source?

So essentially, with Android you have unvetted applications, with Apple you have unvetted applications and a user base which is actively ignorant of security issues. Despite the rumours to the contrary, there has been no great Android outbreak precisely because Android users are aware of their own security.

Re:Actually less safe then completely unvetted app (1)

BasilBrush (643681) | more than 2 years ago | (#37981196)

So essentially, with Android you have unvetted applications, with Apple you have unvetted applications

Except that Apple do do vetting, and thus do have vetted apps.

You claim it doesn't work. The lesson of 4 years of the Apple App store is that it does work.

Despite the rumours to the contrary, there has been no great Android outbreak precisely because Android users are aware of their own security.

The average Android user is not like you. The average Android user is the average phone user. They're not geeks. They don't understand security. They are exactly the same people that load animated cursors, smily packages and screensavers on their Windows PCs.

There has been lots more malware on Android than iOS.

Re:Actually less safe then completely unvetted app (1)

gstrickler (920733) | more than 2 years ago | (#37981644)

First, clearly you didn't read my reply [slashdot.org] to the previous commenter who used the "false sense of security" fallacy. Actually, the "false sense of security" argument can be many fallacies, linked below:

Appeal to belief [nizkor.org] . e.g. Many people claim it gives a false sense of security, therefore, it must. Show that it actually has that effect before you use it as your premise. A hypothetical premise only gives a hypothetical result.

Begging the question [nizkor.org] . e.g. Giving people "false sense of security" makes them less safe assumes that they have the knowledge and ability to do something useful to mitigate the risk AND that they would do something different if they didn't have that "false sense of security. However 95+% don't have that knowledge, and evidence is that most don't change their behavior even after they've been informed of the risks. The assumption is false, therefore, the conclusion is fallacious.

Composition [nizkor.org] . e.g. Because I/we/technical users possess the knowledge and ability to recognize security risks, all users would behave the way I/we would. Your/Our behavior (or theoretical behavior) does not represent what most users will actually do.

Ignoring a common cause [nizkor.org] . e.g. Users are careless when they think they're safe, therefore, they are careless because they think they're safe. In fact, most users are either always careful, or always careless, regardless of whether they think they're safe.

The article title is a bit misleading (1)

monomania (595068) | more than 2 years ago | (#37979662)

What has been broken here is not the code-signing apparatus per se but another part of the Apple security regimen; it appears this doesn't affect the need to have a valid initial certification to begin with. If the signing mechanism were defeated, that would conceivably allow anyone and his dog to upload and sell apps on the store without registering as a developer. But it isn't. So, in fact, the only people who could leverage this issue for nefarious purposes are people who are already working in the marketplace trying to earn a legitimate dime.

The issue as presented is still as serious (or as not-serious) as outlined, as it allows me as a developer do some pretty wanky things at the expense of the user's trust in my app -- but how many legit developers will risk burning their karma with users (let alone Apple) in order to exercise this? And Apple will have it fixed before any new bad actors get themselves hoisted into place with dev credentials.Am I too optimistic about iOS developers being other than evil miscreants-in-waiting?

I Can't Believe This Worked (0)

Anonymous Coward | more than 2 years ago | (#37979668)

I have always thought that executing code on an iOS device in this way was possible I just never thought Apple would actually miss the fact that the app was downloading external code.

First Law of Software (0)

Anonymous Coward | more than 2 years ago | (#37980092)

There is no such thing as perfect software, only inadequate testing.

Twilight-themed? (0)

Anonymous Coward | more than 2 years ago | (#37980456)

Using a program called Rootstrap, [John Oberheide] showed how an innocent-looking Android app could download and run malicious code after making its way onto a user’s phone. (He used a fake Twilight-themed application to demonstrate the potential attack.)

That isn't fair; why only target the unintelligent demographic for your proof-of-concept?

Well-researched article, not! (1)

scdeimos (632778) | more than 2 years ago | (#37980644)

The opening words of TFA:

Apple's iPhones and iPads have remained malware-free thanks mostly to the company's puritanical attitude toward its App Store: Nothing even vaguely sinful gets in, and nothing from outside the App Store gets downloaded to an iOS gadget.

WTF? Are you serious? Games and apps download data external to the App Store all the time. e.g.: The myFish3D app downloads new 3D models for fish and ornaments from its home site, uselessiphonestuff.com.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...