Researcher plants rogue app in Apple’s App Store
Charlie Miller, research consultant for Denver-based security consultant Accuvant, plants an app that uses a flaw in Apple’s iOS. Miller’s latest app, dubbed “Instastock,” was approved by Apple App Store. No worries–the app is only a proof-of-concept.
Instastock exploited the bug Miller discovered to ping a server at his home and request to download another file. While Miller did not stock his server with such a file — except briefly for demonstration and testing purposes — it proved the app could secretly download rogue code. Such “malware” could conceivably issue commands to an iPhone or iPad, stealing contacts and photos, turning on the device’s camera or microphone, or sending text messages.
“The bug I found lets programs signed by Apple download more code,” said Miller in an interview Monday. Until now, it was assumed that Apple’s code signing protected users from dangerous apps being distributed through the App Store.
Charlie Miller on Battery Firmware Hacking