Apple has taken a much different approach to its App Store than rival Google, insisting on approving all applications to ensure security and consistency.
But a security researcher told Reuters that he has found an exploitable flaw in that could allow malicious users to “take data, send text messages or destroy information” from iPhones and iPads. Charlie Miller, a researcher working with Accuvant Labs, made a test app exploiting the flaw, and his program was approved by Apple’s App Store. He then posted a video showing his proof-of-concept app on YouTube.
Miller was able to program an app to download whatever other app he wanted it to once connected to his server. He reported the bug to Apple and said that the company is “fixing it”; the app has since been removed from the App Store. Apple did not immediately respond to a request for comment on the issue.
But Miller got a surprise of his own after news of the bug hit the news media: he was kicked out of Apple’s developer program and suspended for a year.
“OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!” he wrote on Twitter.
Miller will be presenting his research on the bug at the SyScan conference in Taiwan next week, Forbes reported. The attack is much more surprising on an iOS device than on an Android device because the Apple store is known to have much more stringent requirements for apps.
“Android has been like the Wild West,” Miller told Forbes’s Andy Greenberg. “And this bug basically reduces the security of iOS to that of Android.”