Malicious app penetrates iTunes store to test security

shakirmoledina

shakirmoledina

Legend
OP
Member
Level 6
Joined
Oct 23, 2004
Messages
6,613
Trophies
0
Age
34
Location
Dar es Salaam
Website
vfootball.co.nf
XP
830
Country
Tanzania
A malicious piece of software designed for iPhones and iPads has been created to show that Apple's app store is not immune to malware.
The code was designed to look like a stock price tracker, but was also able to steal data.
Experts said that the proof-of-concept program was a "significant threat" to the app store.
Apple declined to comment. It also removed the app and barred the developer from its store.
The software was created by security expert and hacker Charlie Miller to demonstrate Apple's vulnerabilities.
The firm accepted the program to its iTunes app store in September. Two months later Mr Miller revealed that it contained malware that could remotely download pictures and contacts.
"Until now you could just download everything from the app store and not worry about it being malicious. Now you have no idea what an app might do," he said.
The InstaStock app took advantage of a recent update to Apple's mobile operating system which allowed non-approved code to be added to installed apps for the first time.
A few hours after Mr Miller disclosed the flaw, he received an email from Apple which said he was barred from the iOS developer program for violating its terms and conditions.
He wrote on Twitter: "First they give researchers access to developer programs, (although I paid for mine) then they kick them out.. for doing research. Me angry."
Mr Miller has made something of a habit of exposing Apple's security flaws.
In 2009 he identified a bug in the iPhone's text-messaging system that allowed attackers to gain remote control over the devices.
He has since exposed other vulnerabilities in Apple's Mac and mobile platforms.
Mr Miller plans to present his research at a security conference in Taiwan on 17 November.

The app he created was described as "the most significant threat yet to Apple's app store economy", by independent mobile analyst Ian Fogg.
"Apple has been widely criticised for the way in which it limits what code developers can use but this suggests that it was probably right to do that," he added.
To date Apple's biggest security threat has been to the minority of its devices that have been modified.
So-called jail-broken handsets appeal to more tech-savvy users who want to introduce non-Apple approved software to their handsets.
However, many experts believe Apple's app store is still more secure than many of its rivals'.
"The Android marketplace has a supply chain that is rather less controlled and therefore offers more potential to malware writers," said Graham Titterington, an analyst with research firm Ovum.
But he added that this malicious iPhone app could be "the first of many"
Click to expand...

Source

I disagree with his methods. Its like lulzsec, hack and show vulnerability. Talk to apple officially and explain the situation to help them and not the real hackers.
Its like throwing a rock at a glass window and saying its weak. Talk to the owner of the glass about the weakness rather than breaking it.

Do you think Apple has the right to do what it did?
 
D

Deleted_171835

Guest
shakirmoledina said:
I disagree with his methods. Its like lulzsec, hack and show vulnerability. Talk to apple officially and explain the situation to help them and not the real hackers.
Its like throwing a rock at a glass window and saying its weak. Talk to the owner of the glass about the weakness rather than breaking it.

Do you think Apple has the right to do what it did?
Click to expand...
The funny thing is most corporations react harshly when you tell them about their security problems. It seems the only way to get anything done is to disclose it publicly.
 
  • Like
Reactions: 4 people
tijntje_7

tijntje_7

Well-Known Member
Member
Level 2
Joined
Jul 26, 2008
Messages
537
Trophies
0
Age
28
Location
Under your bed
XP
219
Country
Netherlands
shakirmoledina said:
A malicious piece of software designed for iPhones and iPads has been created to show that Apple's app store is not immune to malware.
The code was designed to look like a stock price tracker, but was also able to steal data.
Experts said that the proof-of-concept program was a "significant threat" to the app store.
Apple declined to comment. It also removed the app and barred the developer from its store.
The software was created by security expert and hacker Charlie Miller to demonstrate Apple's vulnerabilities.
The firm accepted the program to its iTunes app store in September. Two months later Mr Miller revealed that it contained malware that could remotely download pictures and contacts.
"Until now you could just download everything from the app store and not worry about it being malicious. Now you have no idea what an app might do," he said.
The InstaStock app took advantage of a recent update to Apple's mobile operating system which allowed non-approved code to be added to installed apps for the first time.
A few hours after Mr Miller disclosed the flaw, he received an email from Apple which said he was barred from the iOS developer program for violating its terms and conditions.
He wrote on Twitter: "First they give researchers access to developer programs, (although I paid for mine) then they kick them out.. for doing research. Me angry."
Mr Miller has made something of a habit of exposing Apple's security flaws.
In 2009 he identified a bug in the iPhone's text-messaging system that allowed attackers to gain remote control over the devices.
He has since exposed other vulnerabilities in Apple's Mac and mobile platforms.
Mr Miller plans to present his research at a security conference in Taiwan on 17 November.

The app he created was described as "the most significant threat yet to Apple's app store economy", by independent mobile analyst Ian Fogg.
"Apple has been widely criticised for the way in which it limits what code developers can use but this suggests that it was probably right to do that," he added.
To date Apple's biggest security threat has been to the minority of its devices that have been modified.
So-called jail-broken handsets appeal to more tech-savvy users who want to introduce non-Apple approved software to their handsets.
However, many experts believe Apple's app store is still more secure than many of its rivals'.
"The Android marketplace has a supply chain that is rather less controlled and therefore offers more potential to malware writers," said Graham Titterington, an analyst with research firm Ovum.
But he added that this malicious iPhone app could be "the first of many"
Click to expand...

Source

I disagree with his methods. Its like lulzsec, hack and show vulnerability. Talk to apple officially and explain the situation to help them and not the real hackers.
Its like throwing a rock at a glass window and saying its weak. Talk to the owner of the glass about the weakness rather than breaking it.

Do you think Apple has the right to do what it did?
Click to expand...

I'm rather sorry good sir, but our glass is made in the finest factories of America.
This is well reinforced glass. We are sure this glass isn't weak.

(good luck)
 
  • Like
Reactions: 3 people
Thesolcity

Thesolcity

Wherever the light shines, it casts a shadow.
Member
Level 7
Joined
Oct 2, 2010
Messages
2,209
Trophies
1
Location
San Miguel
XP
1,138
Country
United States
pistone said:
stupid thing to do
you find a bug ,report it and wait ,if you do that for 2-3 times there is a chance to get e new high payed work ;)
Click to expand...

Or you get a company with its head shoved so far up its ass that it doesn't believe that it IS an exploit. Public disclosure gets guaranteed results.
 
  • Like
Reactions: 1 person
pistone

pistone

Well-Known Member
Member
Level 2
Joined
Feb 18, 2010
Messages
503
Trophies
0
Age
35
Location
in your heart...coz secretly you love me !!!!
XP
232
Country
Albania
i dont thing there is a company on earth ) that believes that an exploid to one of its products (software the mostly) is unhackable (..........ecept google .........you cant hack google ....google hacks you
apple the most as every ios apple has released was hack in some min (or even before its official release )
 
Foxi4

Foxi4

Endless Trash
Global Moderator
Level 34
Joined
Sep 13, 2009
Messages
30,825
Trophies
3
Location
Gaming Grotto
XP
29,841
Country
Poland
On one hand, the idea of the App Store is to have a steady flow of quickly-made applications and to distribute them with ease, so quality control and code control suffers. On the other, people who submit applications to the store share their adress and personal information with Apple for billing purposes. Provided there was damage done by a given App, Apple would be on the developer's ass in mere hours after the first report, and guess who'd be charged for the damages?

This application did no damage anything though though, it stole information, which makes it malicious in an entirely different fashion, which is a matter for concern. Perhaps the "Straight to the client" model of buisness should be revised, it's not the first time Apple sold something they weren't supposed to. Last time it was that game which depicted children working in factories to build iPads... Quality Control, yay!
 
FluffyLunamoth

FluffyLunamoth

Still a Touhou Fanatic
Member
Level 5
Joined
Jul 21, 2009
Messages
2,147
Trophies
1
Location
Senkai
XP
580
Country
United States
mercluke said:
nando said:
he should try breaking into a bank and stealing their money to show how the banks security is faulty then await praise.
Click to expand...
this, definitely this
couldn't have put it better myself :P
Click to expand...

Foolish. Foolish to think they are the same at all. Breaking into a bank and stealing money does not equal putting malware on an app store. Two vastly different subjects, one is stealing, one is spreading a bad code. Furthermore, Apple does not equal a bank. For one thing, Apple probably has more money then that bank. But that's semantics. It's more that a store is not a bank.

Plus, it was done to prove a point to a company that's got too big of a head. They are vulnerable, and this is the only way to make them see that.

EDIT: Final note, the maker said that the app could steal information. Did he ever actually have it do anything with that information? Did he ever get that information? I'm curious on that, if the code was ever acted upon.(Not like browsers don't already do all of this anyway...)
 
Foxi4

Foxi4

Endless Trash
Global Moderator
Level 34
Joined
Sep 13, 2009
Messages
30,825
Trophies
3
Location
Gaming Grotto
XP
29,841
Country
Poland
Companies "collect" information all the time, by the way. By accepting an End-User License you haven't fully read, you expose yourself to what's called "Information Market". Your information may be collected and "sold" to companies which deal with marketing you might end up with a hefty ammount of spam, but a grand heist a'la "stealing credit card information and stripping everyone who bought the App of their money" is unlikely due to what I mentioned in my previous post.

Apple collects information all the time for purposes not disclosed, even for example latest positioning of an iPhone. Google does the exact same thing. You're just not aware of that process, but it is likely you actually agreed to it.
 
Jamstruth

Jamstruth

Secondary Feline Anthropomorph
Member
Level 5
Joined
Apr 23, 2009
Messages
3,462
Trophies
0
Age
31
Location
North East Scotland
XP
710
Country
This isn't an "exploit" as people are comparing it to. Its just showing that Apple don't check the submitted apps as thoroughly as they'd have us believe. The problem is in the human approving the app.
 
ferofax

ferofax

End of the World
Member
Level 5
Joined
Jan 26, 2009
Messages
2,570
Trophies
0
Age
42
Location
Philippines
Website
nonwhatso.blogspot.com
XP
687
Country
nando said:
he should try breaking into a bank and stealing their money to show how the banks security is faulty then await praise.
Click to expand...
bad analogy. and he does not want praise, he wants the flaw to be acknowledged and taken seriously.

the problem with big companies is, unless they paid you for your opinion, your opinion does not matter to them, regardless if whether or not that opinion is backed up by incontrovertible fact. it sounds underhanded, but sometimes doing it this way is the only way for them to take your warning seriously. and if you wanted them to know about it, then it's clearly a warning, and not a threat. the way i see it, there's no malicious intention behind this "hacking" incident, although private data may have been compromised. but that "compromised private data" is exactly the point he wanted to make.
 
OJClock

OJClock

_____________
Member
Level 3
Joined
Oct 4, 2008
Messages
131
Trophies
0
XP
311
Country
United States
usually hackers send an email to the company alerting them of the hack and wait a certain number of days for no response to reveal it/release it forcing the company to act
 
T

The_Dragons_Mast

Well-Known Member
Member
Level 9
Joined
Apr 20, 2007
Messages
615
Trophies
1
XP
1,699
Country
Egypt
nando said:
he should try breaking into a bank and stealing their money to show how the banks security is faulty then await praise.
Click to expand...

From what I read his app never actually stole anything it was just able to do so if he wanted so a more accurate analogy would be he entered a bank , sneaked to the safe & then notified the bank manager that he was inside able to steal anything he wanted & no one noticed
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Zippo says Sonic heroes remake might happed

Hacking Gaming Homebrew Homebrew app  SUYU Discord get deleted

Hero Shooter GUNDAM EVOLUTION revived in private server project following End of Service

"Apple has lifted its restriction on retro game emulators on the iOS App Store"

Mig switch flashcard clones are coming

Backdoor in `xz` found, affects ssh (linux remote desktop connections)

Disney's New X-Files Reboot Already Has A Mulder & Scully Return Problem

Homebrew app  A Commodore 64 core for the Analogue Pocket just released today!

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: @salazarcosplay, no sabría cómo decirte