Researcher Discovers iOS Code Signing Flaw; Gets Axed from Developer Program

Posted on November 8th, 2011 by

Mac and iOS security researcher Charlie Miller discovered a flaw in Apple’s code signing system. Using this exploit, Miller said that, “you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check. With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

The vulnerability is as follows:

To increase the speed of the phone’s browser […] Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, [Miller] realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible.

According to the Forbes article linked above, “The simple program appears to merely list stock tickers, but also communicates with a server in Miller’s house in St. Louis, pulling down and executing whatever new commands he wants.” Once this was made public, Apple removed the app, and has also revoked Miller’s membership in Apple’s iOS developer program.

Miller did break Apple’s rules, but he also highlighted what could be a very serious flaw in the way iOS applies code signing. In doing so, he has exposed a vulnerability that needs to be patched in order to protect iOS users. Miller will be presenting this vulnerability next week at the SyScan conference in Taiwan.