Major iOS security flaw discovered, Apple fumbles it

[Bateluer]

http://www.cnn.com/2011/11/08/tech/mobile/apple-ios-bug-apps/index.html

A bug in Apple's mobile operating system allows hackers to take control of iPhone and iPad apps, using them to steal people's photos, contacts and even send text messages without the device's user knowing about it, according to a notable computer security researcher.

Miller said he alerted Apple to the bug three weeks ago and the company told him a fix was in the works. Apple did not respond to CNN's request for comment on the apparent security flaw, which Miller explains in detail on YouTube.

As thanks for that work, he said, Apple banned him from the iOS developer program for a year.

Seems like a pretty serious issue. A similar security flaw was found in Android Market a few months back, with auto-root apps and several malicious apps repackaged as popular, common apps. Turned out to be a dud though, it was acknowledged and fixed before any serious harm could be done.

Apple doesn't have the best track record with dealing with problems with their products though. The overheating issues on the 3GS were ignored, their handling of the antennagate fiasco on the iP4 was a flustercluck that would have had any other company strung up, the DOA iMACs, the yellow screen iMacs, the slew of problems with the early Airs, etc, etc.

Miller says he alerted Apple to the exploit 3 weeks ago? No response or fix yet. Seems like a fumble again.

 

[Ns1]

Not a fumble until damage happens

404 damage not found

 

[Aikouka]

I think what you're leaving out is exactly why Apple banned him from the developer program. He didn't get banned for calling out Apple on the bug, he got banned because he uploaded an app to the App Store that was exploiting the bug.

EDIT:

Although, I should add that his app was pretty much harmless in nature, but they banned him for going against the Terms of Use.

 

[Bateluer]

Not a fumble until damage happens

404 damage not found

Better to fix the problem before damage is done, wouldn't you say? Honestly, would you continue driving your car if the gas tank was leaking fuel? Somehow, I don't think you'd be waiting until something ignited it before having it fixed.

I think what you're leaving out is exactly why Apple banned him from the developer program. He didn't get banned for calling out Apple on the bug, he got banned because he uploaded an app to the App Store that was exploiting the bug.

EDIT:

Although, I should add that his app was pretty much harmless in nature, but they banned him for going against the Terms of Use.

My understanding is that the app he uploaded was essentially 1)proof of concept, 2)could only effect Miller's phone, and 3)that it would escape Apple's notice.

Banning him is a dick move on Apple's part, something more akin to the schoolyard.

 

[Capt Caveman]

Overheating of 3GS? My 3GS has been good to go for 2+ years.

 

[MrX8503]

I think Apple handles issues decently. I think they get a lot of flak because they're Apple. I bet if antennagate happened to any other device no one would have cared or made such a big deal out of it.

I think a lot of companies are at fault for not fixing their issue in a prompt manner. I mean how long did it take Samsung to fix their GPS issue?

 

[annomander]

Banning him is a dick move on Apple's part, something more akin to the schoolyard.

Okay... :whiste:

 

[Red Storm]

Apple is well within their rights to ban him, but actually doing it is a dick move on their part. Why not respond to him privately and thank him for the find, and patch it in an update?

I've heard similar stories about both Apple and Google in regards to developer relations. One would think they are more open to directly communicating with these devs and being thankful for their discoveries.

I think Apple handles issues decently. I think they get a lot of flak because they're Apple. I bet if antennagate happened to any other device no one would have cared or made such a big deal out of it.

Well that's easy. Apple only releases one phone model each year, so if that single model has an issue, then you're looking at a potentially big problem. A specific phone from a specific android manufacturer is obviously going to be less significant because there is a great variety of Android handsets.

 

[akugami]

Apple doesn't have the best track record with dealing with problems with their products though. The overheating issues on the 3GS were ignored, their handling of the antennagate fiasco on the iP4 was a flustercluck that would have had any other company strung up, the DOA iMACs, the yellow screen iMacs, the slew of problems with the early Airs, etc, etc.

PR wise, it was not pretty but let's be serious. The FACT is that the iPhone 4, even with antenna problems, had better signal quality than previous iPhones. The iPhone 4 also had reception that was competitive with any Android phone out at the time. It's funny that the only ones still complaining are those who will never get an iPhone.

And yes, banning the guy who discovered the flaw is a dick move.

 

[Kenmitch]

As others have stated banning him was a dick move. They should be happy he BETA tested for them and pointed out the exlpoit. Not that I hate Apple but it's things like this that make me like them even less.

 

[Mopetar]

Miller says he alerted Apple to the exploit 3 weeks ago? No response or fix yet. Seems like a fumble again.

In the real world, complicated software bugs take longer than a few days to fix and generally no one goes around talking about their presence to the rest of the world in the interim.

Nice editorialization though. Then again the article isn't much better.

 

[TheStu]

They should thank him? Really? He pointed out the flaw to them privately (good), but then, like a tool, put together an app and got it approved and then let it get put out there. I am not sure if he pulled the app or it apple did, but if it was the latter, then no, it wasn't a dick move to ban him.

If the story had been that he made an app, later discovered that it had this exploit, alerted apple, and pulled it then it would be a dick move to ban him.

 

[Mopetar]

As others have stated banning him was a dick move. They should be happy he BETA tested for them and pointed out the exlpoit. Not that I hate Apple but it's things like this that make me like them even less.

There is a difference between finding a problem and letting Apple know about it so that they can fix it and doing all of that and running to the press with it. It really doesn't improve the situation in any appreciable way.

 

[Doppel]

Better to fix the problem before damage is done, wouldn't you say? Honestly, would you continue driving your car if the gas tank was leaking fuel? Somehow, I don't think you'd be waiting until something ignited it before having it fixed.



My understanding is that the app he uploaded was essentially 1)proof of concept, 2)could only effect Miller's phone, and 3)that it would escape Apple's notice.

Banning him is a dick move on Apple's part, something more akin to the schoolyard.

Kind of a gray area. I don't think any of us would endorse somebody carrying a weapon on a plane as a POC finding a flaw in airline security, but on the other hand this kind of approach is often forgiven if intentions were good.

 

[Ns1]

As others have stated banning him was a dick move. They should be happy he BETA tested for them and pointed out the exlpoit. Not that I hate Apple but it's things like this that make me like them even less.

they didn't ban him for pointing out the exploit, they banned him for uploading an app with an exploit to the app store.

Miller plans to present a method that exploits a flaw in Apple’s restrictions on code signing on iOS devices, the security measure that allows only Apple-approved commands to run in an iPhone or iPad’s memory. Using his method–and Miller has already planted a sleeper app in Apple’s App Store to demonstrate the trick–an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.

 

[Kenmitch]

they didn't ban him for pointing out the exploit, they banned him for uploading an app with an exploit to the app store.

They banned him because he made an app with an unkown exploit that was scrutinized and OK'd by Apple. Kinda funny how they never even detected anything unusual about his app. I think if I was one of the millions of isheep I'd be more worried about why Apple didn't catch the exploited App in the first place. I think his whole point was to expose the exploit and to show Apple that it's possible that iOS isn't magically protected by pixi dust like OSX.

I'm pretty sure if he had any intentions of using the exploit he wouldn't have contacted Apple in the first place. I no longer own any idevices so I don't really give a ratz *** either way. Those of you who do should thank him for pointing out the exploit rather than using it. Next time you might not be so lucky!

 

[mosco]

http://www.cnn.com/2011/11/08/tech/mobile/apple-ios-bug-apps/index.html





Seems like a pretty serious issue. A similar security flaw was found in Android Market a few months back, with auto-root apps and several malicious apps repackaged as popular, common apps. Turned out to be a dud though, it was acknowledged and fixed before any serious harm could be done.

Over-exaggerate much? Does apple need to fix the problem? Yes.

similar issue on android? like this one: http://www.csc.ncsu.edu/faculty/jiang/nexuss.html that took them 3 months to release a fix for? For good or bad, this is more the standard than the exception.

 

[Bateluer]

Over-exaggerate much? Does apple need to fix the problem? Yes.

similar issue on android? like this one: http://www.csc.ncsu.edu/faculty/jiang/nexuss.html that took them 3 months to release a fix for? For good or bad, this is more the standard than the exception.

From the link, the Google Security people didn't ban Xuxian Jian after he notified them of the exploit. In fact, he notes:

was pleased/impressed to receive their response within 10 minutes. After that, we exchanged emails, including a critical piece of exploit code, to better understand the nature of the vulnerability. From the interaction, I can tell that they took this issue seriously and the investigation was started immediately without any delay. Also, I need to mention that this attack is not a root exploit, meaning it still runs within the Android sandbox and cannot grab all files on the system (only those on the /sdcard and a limited number of others).

The vulnerability is now confirmed and I was told that an ultimate fix will be included no later than the next major release of Android. We are not aware of any active exploitation of this issue.

So, Google acknowledged him, worked with him to confirm the fail, promised and then delivered a fix in the next update to Android, 2.3.4. This is how you handle these. Well done Google.

 

[Ns1]

From the link, the Google Security people didn't ban Xuxian Jian after he notified them of the exploit. In fact, he notes:



So, Google acknowledged him, worked with him to confirm the fail, promised and then delivered a fix in the next update to Android, 2.3.4. This is how you handle these. Well done Google.

did he try to upload an app containing said exploit to the app store?

from the OP...

Miller said he alerted Apple to the bug three weeks ago and the company told him a fix was in the works.

So we know that a fix is "in the works" (whether or not it's true) and if it's fixed on the next update, we're all kosher?

from the link it took Android developers 3 months to identify the problem and release a solution. You haven't given Apple 3 months yet.

notified the Google Android Security Team on 01/26/2011...On 4/28/2011, Nick notified me that the patch is now included in Android 2.3.4, which is released on the same day.

 

[Bateluer]

from the link it took Android developers 3 months to identify the problem and release a solution.

From your link, they'd ID'd the problem in ~10minutes. Since this was a pretty benign issue, affecting a pretty limited release device, why wouldn't they simply wait to release it in a major OS update? Its not like the carriers are going to be bothered releasing a minor point release every week.

 

[Mopetar]

From your link, they'd ID'd the problem in ~10minutes.

There's a big difference between identifying that there's a problem and determining how to fix it without breaking a bunch of other things in the process.

 

[Ns1]

From your link, they'd ID'd the problem in ~10minutes. Since this was a pretty benign issue, affecting a pretty limited release device, why wouldn't they simply wait to release it in a major OS update? Its not like the carriers are going to be bothered releasing a minor point release every week.

Actually, it goes earlier than that:

I notified the Android Security Team on 19-Nov-2010 and to their credit they responded within 20 minutes, took it seriously, and started an investigation into the issue.

So now we're at 6 months to identify and fix a problem.


IDGAF personally, you're just praising Google when they were given 6 months to fix a problem and you're railing against Apple when it's only been 3 weeks.

 

[mosco]

From your link, they'd ID'd the problem in ~10minutes. Since this was a pretty benign issue, affecting a pretty limited release device, why wouldn't they simply wait to release it in a major OS update? Its not like the carriers are going to be bothered releasing a minor point release every week.

It took HTC a month to provide a fix for their security issue. Like I said before, this is the standard and not the norm.

It sounds like this is an issue with Apple's JIT compiler (Nitro Extreme JS engine) and it may not be a trivial fix that they can provide in a day.

They already seeded 5.0.1 beta 1,2 to devs that includes some security fixes, and we may very well see them fix this issue along with the release of 5.0.1.

But please continue making yourself look like you are grasping at straws.

[EDIT]

I will say though, that I don't agree that apple should have banned him, atleast not permanently. He broke the rules by uploading the app the app store, even though it seems like not a big deal, the developer agreement clearly states that what he did was not allowed. There is no clause that says you can add apps the store that use exploits just because you told them about it.

I do hope that they work with him, and they eventually let him back in.

 

[BTRY B 529th FA BN]

Look out, Mobile devices are the next frontier for hackers.

And now, for your listening pleasures:
http://www.youtube.com/watch?v=1bHzasqYRYk

 

[Ns1]

I will say though, that I don't agree that apple should have banned him, atleast not permanently.

I do hope that they work with him, and they eventually let him back in.

I read that it was a year ban?