Third party iPhone app developers may be able to update and execute arbitrary code from their applications at will, circumventing Apple’s App Store approval process, according to a report at TechCrunch.
The exploit stems from a trick documented by developer/blogger Partick Collison, who figured out a workaround to allow for the display of dynamic default.png images that load when an app is opened on the phone.
Jason Kincaid, who writes for TechCrunch, believes this security flaw makes it possible that “using the same technique with arbitrary code would likely allow a developer to update and execute whatever code they’d like at will.”
Kincaid notes that this is only an issue insofar as Apple purports to retain control of everything that appears on the AppStore. Developers enjoy the capability of running malicious code in just about every Windows or Mac desktop application you can buy without a screening process similar to the one Apple maintains before allowing iPhone and iPod touch applications to be distributed through the AppStore.
It’s also worth noting that no developer or application has been found to have used this particular exploit to run malicious code to date, and that Apple could act to close the loophole before anyone’s phone is put at risk.
