Yes, you read that correctly. Former NSA analyst Charlie Miller – who has reportedly been ejected from the Apple developer corps for his trouble – has effectively created an app that behaves like a remote access trojan (RAT).
Apple seems sanguine about the reports of the rogue app, even if some members of the security industry have started frothing electronically at the mouth.
According to the Forbes newswire, at the SysCan conference in Taiwan next week, Miller will present a proven methodology that exploits a flaw in Apple’s restrictions on code signing on iOS devices – the security measure that allows only Apple-approved commands to run in an iPhone or iPad’s memory.
“Using his method – and Miller has already planted a sleeper app in Apple’s [iTunes] app store to demonstrate the trick – an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends”, notes the newswire.
“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check”, he says. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”
Miller has posted a YouTube video demonstrating the security vulnerability.
His proof-of-concept app – now removed from iTunes – reportedly appears to merely list stock tickers, but also communicates with a server in his home in St. Louis, pulling down and executing whatever new commands he wants.
The good news is that Miller isn't explaining his methodology before next week's conference in the Far East, and so – he says – giving time for Apple to patch the problem.
Reflecting on what many iOS observers are saying, data security specialist Cryptzone observed that the flaw effectively means the iPhone and iPad can be totally 'pwned' – a cracker term for owned – and it expects to see real hacker subversions of the Apple smartphone and tablet computing platform in the near future.
According to Grant Taylor, vice president of the encryption, port control and compliance vendor, until now it was thought that Apple's iOS platform was relatively invulnerable to subversion by conventional malware, but the fact that the security of the iTunes vetting procedure can be side-stepped by sneaking in a darkware app, right under Apple's noses, shows what can be done.
"The revelation that iPhone and iPad malware can be created – and distributed on one of the largest and most trusted portable applications arena on the planet – will create what I call the Colditz effect. Colditz is a Renaissance castle in the town of the same name near Leipzig in Germany – it was used as a prisoner-of-war camp by the Germans in World War II, as it was thought impossible to escape from, on account of its high levels of security", he said.
"But as prisoners learned that escape was possible, the castle ended up being infamous for the number of successful escape attempts. Prisoners actually welcomed being transferred to Colditz as they knew it was possible to escape. And now that the cybercriminal community know that it is possible to compromise iTunes and the iOS platform, you can guess what is going to happen now", he added.
The Cryptzone vice president went on to say that, with the right commands, hackers can effectively 'pwn' an iPhone or iPad, just as they can remotely assume control over desktop PCs using suitable malware and an infection route into the machine in question.
"As Miller says – 'now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check. With this bug, you can't be assured of anything you download from the App Store behaving nicely' – and he's right too", Taylor said.
“Apple will be burning the midnight oil to work out how to beat this potentially serious compromise of the iOS platform, but I suspect a simple patch may not be enough to solve this security issue."