A software flaw in iPhones and iPads could let hackers build apps that secretly install malware and still pass Apple’s App Store vetting process, according to a security expert.
Accuvant Labs claims to have built a prototype malicious program that could be programmed to steal data or send text messages – and the app made it past Apple’s security checks.
“Until now you could just download everything from the App Store and not worry about it being malicious. Now you have no idea what an app might do,” said Charlie Miller, a researcher at the company.
Now you have no idea what an app might do
There is as yet no evidence that hackers have exploited the vulnerability in Apple’s iOS software. But Miller said his test demonstrated that there could be malware in the App Store that has passed undetected.
Miller said he proved his theory by building a stock-market monitoring tool, InstaStock, that was programmed to connect to his server once downloaded, from where he could install the malware on to the user’s device.
Miller, who in 2009 identified a bug in the iPhone text-messaging system that allowed attackers to gain remote control over the devices, said he had contacted the company about the vulnerability.
“They are in the process of fixing it,” he said.
Miller said over Twitter that Apple had removed the app from its store, and revoked his developer status. “Apple just kicked me out of the iOS Developer program. That’s so rude,” he tweeted. “First they give researchers access to developer programmes, (although I paid for mine) then they kick them out.. for doing research.” Apple did not respond to requests for comment.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
