We have stumbled across a flaw in iPhone security that allows third party developers to update and execute arbitrary code from their applications at will, totally circumventing Apple’s App Store approval process. Normally, applications (and all of their updates) have to go through a lengthy review process before they’re posted to the App Store, as Apple combs through them to ensure they don’t do anything malicious or otherwise violate its Terms of Service. This exploit may give developers free rein.
The exploit stems from a benign trick that would otherwise seem trivial to most iPhone users. Whenever you launch an iPhone application, an image called ‘Default.png’ is briefly displayed while the app loads in the background. Applications developed in-house by Apple are able to use dynamic ‘Default.png’ images, which can be modified to do a number of things, like show the current date or display the contents of the app before it’s done loading. Until now third party developers have been stuck with static ‘Default.png’ images that could not be changed after the app had been installed. To get around the restriction, developer Patrick Collison figured out a workaround that tricks the iPhone’s code signing mechanisms into giving devs access to these dynamic launch images (for a full description of the trick, read his blog post).
But after digging deeper into this trick and consulting with a few iPhone developers, we believe that this could have much more significant (and potentially harmful) applications. Typically the iPhone’s API prevents developers from loading code in unsigned areas, but this image hack (which manipulates symlinks) makes the iPhone believe that the code it is loading came from a “trusted” (i.e. permitted) source. Using the same technique with arbitrary code would likely allow a developer to update and execute whatever code they’d like at will.
We should note that developers generally have the freedom to arbitrarily update and execute code on other platforms that don’t have an approval process, including desktop Windows and Mac machines. But consumers have long been trained to be wary when downloading new software to these platforms – on the App Store, everything has Apple’s stamp of approval, so this discretion is often thrown to the wind as users get promiscuous and try out every app they can get their hands on.
Fortunately, it’s unlikely that any apps currently on the store have already implemented this exploit, so if Apple can fix things quickly before accepting any more applications, your iPhone shouldn’t be at risk.
Update: We’ve gotten a number of comments stating that this may not be as serious an issue as we thought – while it is a legitimate bug, there are other ways to bypass Apple’s screening process to later invoke malicious code, and none of them have been an issue thus far. We did verify the exploit with a number of experienced iPhone developers, but may have overstated its significance.