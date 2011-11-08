* Researcher says App Store did not detect malware
* Vulnerability discovered by expert on Apple security
Nov 7 A software flaw in Apple Inc's (AAPL.O)
iPhones and iPads may allow hackers to build apps that secretly
install programs to steal data, send text messages or destroy
information, according to an expert on Apple device security.
Charlie Miller, a researcher with Accuvant Labs who
identified the problem, built a prototype malicious program to
test the flaw. He said Apple's App Store failed to identify the
malicious program, which made it past the security vetting
process.
There is as yet no evidence that hackers have exploited the
vulnerability in Apple's iOS software. But Miller said his test
demonstrated that there could be real malware in the App
Store.
"Until now you could just download everything from the App
Store and not worry about it being malicious. Now you have no
idea what an app might do," Miller said.
Miller said he proved his theory by building a stock-market
monitoring tool, InstaStock, that was programmed to connect to
his server once downloaded, and to then download whatever
program he wants.
(To see a YouTube video demonstration of the technique, go
to here)
Apple did not respond to requests for comment.
Miller, who in 2009 identified a bug in the iPhone
text-messaging system that allowed attackers to gain remote
control over the devices, said that he had contacted the
company about the vulnerability.
"They are in the process of fixing it," he said.
Miller is scheduled to present his detailed research at the
SyScan '11 security conference in Taiwan next week
(here)
(Reporting by Jim Finkle; Editing by Gary Hill)