This tidbit of information was sent to me in an email from a trusted source on Thursday, November 10, 2011 10:59 AM.
For those of you that could be downloading apps from Apple Store, the following story may be of interest:
Apple critics have long complained about Apple’s walled garden policy that severely restricts the ability of just anyone to develop an app for the iPhone and then sell it. You need to play by Apple’s rules if you want to get inside the so-called garden. This policy may be generating some negative spin for Apple but by all accounts it does work. Apple does make sure that any app that enters the fold and is sold at the App Store is safe for everyone to use. But that assurance has been tarnished with the exposure of a security hole that allows an app that passed Apple’s review to turn rogue.
The vulnerability was revealed by Charlie Miller, an Apple security researcher. The app Miller developed was an innocuous looking stock checking app that communicates with a server located in Miller’s home. The app was reviewed by Apple and was deemed safe. It was made available in the App store. The shenanigan happens after the app is downloaded. The app’s code gets updated remotely and from here on in the app will be able to gather information stored on the phone and send it back to the server. The bad news is that the phone user won’t even have any idea that this is happening because it occurs in the background. The app takes advantage of a security hole in the mobile Safari app that will allow apps to run a code that has not been approved by Apple.
Apple has removed the app from the App Store and has also removed Miller from the Apple developer program.
[My comments: Even though Apple runs a tight ship as far as what programs can be available through the Apple Store, the fact that this particular test app was available in the Apple Store since September and it was not detected as being potentially malicious until Miller himself has talked about is worrisome. My recommendation will be to be very careful with your download until Apple can patch the vulnerability in the Safari app.]