iOS Exploit Allows Apps To Run Unsigned Code


A security researcher has announced the discovery of a method for iOS apps to run unauthorized code on your iPhone, potentially giving malware some new tools for wreaking havoc on your smartphone. The formal announcement of the exploit will occur at SysCan next week, but for now we know at least the basics behind its operation; what’s going on, and should you be worried?

From what’s been revealed so far, the problem lies in the access rights Apple gave to its Nitro javascript engine in order to increase its speed. Since Nitro compiles javascript code to be natively executed, it needs the ability to run unsigned code. To do so, Apple assigns it a memory space with the appropriate permissions.

Researcher Charlie Miller discovered a way for other apps to trick iOS into giving them a memory region with those same special Nitro permissions. Once that’s ready, a malicious app could request code from a remote server, download it to your iPhone, and then have the unsigned, non-Apple-authorized code execute.

Miller wrote a demo app for his exploit, and had it approved and added to the App Store. Once Apple caught wind of his stunt, it pulled the app and terminated Miller’s development account.

Based on what we know of this attack vector, it doesn’t sound like too much cause for concern for the average user. That’s not saying the exploit isn’t potentially devastating, but thankfully it was discovered by an upstanding security researcher rather than by a black-hat hacker. It should be easier to screen for offenders now that Apple knows what it’s looking for, the company will presumably patch the memory permissions bug in a future iOS release, and Apple continues to pull problem apps from the App Store as it spots them.

Source: Forbes

Via: BGR

Share This Post
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits Read more about Stephen Schenck!