Sponsored By

iTunes Store Gets a Security Black-Eye (and Apple Hits Back)iTunes Store Gets a Security Black-Eye (and Apple Hits Back)

Even the most secure of systems may still have these little surprises hiding in them.

Michael Finneran

November 10, 2011

2 Min Read
No Jitter logo in a gray background | No Jitter

Even the most secure of systems may still have these little surprises hiding in them.

Apple has enjoyed a stellar record for the security of the applications distributed through its iTunes store, but a security researcher has just egged the house. Charlie Miller, principal research consultant for security consultant Accuvant discovered a bug in Apple's iOS 4.3 that allowed him to build an app that when downloaded, caused the user's phone to connect back to his server. That server could then download additional software to the user's phone.

This exploit is what is called a "proof-of-concept", and no malicious code was actually downloaded; Mr. Miller simply proved it could be done. The more embarrassing part for Apple was that they had approved Miller's app, which he called "Instastock". Key to that security is the fact that Apple digitally signs all apps carried in the iTunes store, and iOS refuses to run any app that is not signed.

What Mr. Miller discovered was that with iOS 4.3, Apple made an exception for the Safari browser that would apparently speed up JavaScript execution. That vulnerability exists in every release since 4.3, including the new 5.0. The trick was to fake iOS into thinking Instastock was actually Safari.

The security blanket of iTunes is one of the big advantages Apple could cite over Android, which has had repeated problems with malware infected apps showing up in the Android store. The exploit is not a trick anyone could have pulled off, as this Miller fellow has some bona fide credentials, being the only four-time winner of the annual Pwn2Own hacking contest. What he learned quickly was that Apple does not like egg on its face.

Shortly after Mr. Miller made his announcement he received an email from Apple informing him that we was out of Apple's iOS developer program, and he would be banned for a full year. He contends that he had informed Apple of the vulnerability three weeks earlier, he just didn't tell them he'd actually placed his app in the store.

We can be fairly sure that Apple will fix this problem post-haste, but it is another important reminder that even the most secure of systems may still have these little surprises hiding in them.

About the Author

Michael Finneran

Michael Finneran

Michael F. Finneran, is Principal at dBrn Associates, Inc., a full-service advisory firm specializing in wireless and mobility. With over 40-years experience in networking, Mr. Finneran has become a recognized expert in the field and has assisted clients in a wide range of project assignments spanning service selection, product research, policy development, purchase analysis, and security/technology assessment. The practice addresses both an industry analyst role with vendors as well as serving as a consultant to end users, a combination that provides an in-depth perspective on the industry.

His expertise spans the full range of wireless technologies including Wi-Fi, 3G/4G/5G Cellular and IoT network services as well as fixed wireless, satellite, RFID and Land Mobile Radio (LMR)/first responder communications. Along with a deep understanding of the technical challenges, he also assists clients with the business aspects of mobility including mobile security, policy and vendor comparisons. Michael has provided assistance to carriers, equipment manufacturers, investment firms, and end users in a variety of industry and government verticals. He recently led the technical evaluation for one of the largest cellular contracts in the U.S.

As a byproduct of his consulting assignments, Michael has become a fixture within the industry. He has appeared at hundreds of trade shows and industry conferences, and helps plan the Mobility sessions at Enterprise Connect. Since his first piece in 1980, he has published over 1,000 articles in NoJitter, BCStrategies, InformationWeek, Computerworld, Channel Partners and Business Communications Review, the print predecessor to No Jitter.

Mr. Finneran has conducted over 2,000 seminars on networking topics in the U.S. and around the world, and was an Adjunct Professor in the Graduate Telecommunications Program at Pace University. Along with his technical credentials, Michael holds a Masters Degree in Management from the J. L. Kellogg Graduate School of Management at Northwestern University.

See more from Michael Finneran

Editor's Spotlight

How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
Ccaas
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations

Dec 16, 2024

How Talkdesk Delivers for Vertical Industries
Ccaas
How Talkdesk Delivers for Vertical Industries
How Talkdesk Delivers for Vertical Industries

Dec 5, 2024

How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
Ccaas
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity

Dec 17, 2024

Subscribe to Our Weekly Newsletters
Stay informed and sign up for weekly No Jitter and WorkSpace Connect newsletters
Sign Me Up
Mar 17 - Mar 20, 2025
As the #1 communications, collaboration and CX Conference and Expo in North America, we empower IT professionals to confront and overcome today's most pressing challenges. Attend Enterprise Connect and join thousands of like-minded peers building a framework for future success. You’ll walk away with rich learning experiences, invaluable connections, business opportunities, and inspiring insights. Register with Promo Code CONNECT25 to save $200 on Conference passes.
Learn More