Apple’s iOS Javascript Browser Tweak Hacked To Allow Any App To Run Malicious Code

When it comes to Mac hacking, there are few security experts more dangerous than Charlie Miller, who can hack a Mac in mere seconds. Luckily, Miller only uses his hacking powers for the forces of good, so his hacks often lead to more secure systems for you and me.

Let’s hope that’s the case for the latest vulnerability Miller identified for the iOS platform. He has discovered a huge bug in iOS that allows malicious devs to write innocuous looking apps that slip by the App Store review process, only to phone home to a remote computer and repurpose all of iOS’s normal functions for malicious ends.

Miller proved the concept of his hack with an app called Instastock. Although Instastock appeared to be just a stock ticker, it actually phoned home to Miller’s house in St. Louis, where it downloaded new commands that allowed him to do things like read a user’s photos, contacts or emails, make the phone vibrate or even ring. Apple actually approved the app for distribution without raising an eyebrow?

Why didn’t Apple catch this stuff in the App Store review process? It’s simple: the commands to do all this malicious stuff didn’t actually exist in the software before it dialed into Miller’s home computer from the iPhone on which it was installed. Once it phoned home, it downloaded all the commands that would have normally triggered Apple’s clampdown procedures.

How does it work? In order to increase the speed of iOS’s browser, Apple allows javascript code from the internet to run on a much deeper level in system memory than it had previous to iOS 4.3. This speed increase effectively creates an exception in which the browser can run unapproved code in a region of the device’s memory. All Miller’s hack does is exchange that exception to apps.

Miller intends on showing off his Instastock app and bug at next week’s SysCan conference in Taiwan. Presumably, Apple will fix this bug extremely quickly, but in the mean time, they have made no comment. You can read more about Miller’s hack here.

Related

About the author

John BrownleeJohn Brownlee is a Contributing Editor. He has also written for Wired, Playboy, Boing Boing, Popular Mechanics, VentureBeat, and Gizmodo. He lives in Boston with his girlfriend and two parakeets. You can follow him here on Twitter.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , , , , , , |