Charlie Miller Finds and Exploits a Vulnerability in iOS Code Signing Enforcement

His app, which Apple allowed (but has, in the hours since Miller published this video, removed) onto the App Store, demonstrated a vulnerability where an app could download unsigned (and thus potentially unsafe) executable code from a remote server. No exact details on the bug until Miller gives a talk revealing it next week, but Andy Greenberg at Forbes has more info:

Miller became suspicious of a possible flaw in the code signing of Apple’s mobile devices with the release of iOS 4.3 early last year. To increase the speed of the phone’s browser, Miller noticed, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, he realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible. (Apple uses other security restrictions to prevent untrusted websites from using that exception to take control of the phone.)

The researcher soon dug up a bug that allowed him to expand that code-running exception to any application he’d like. “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

That’s the Nitro JavaScript engine, which is faster because it uses JIT compilation, but is less secure for the same reason. I wrote about the security implications of Nitro back in March.

Also: Apple has kicked Miller out of the iOS developer program.

Monday, 7 November 2011