| (Credit: Josh Lowensohn/CNET) |
Researchers have once again pulled a fast one on Apple's app approval process, getting malware onto the App Store to prove it's still a possibility.
A group of researchers from Georgia Tech developed an app that masqueraded as a news reader that would phone home to reprogram itself into malware -- something that was apparently not picked up in Apple's security screening procedures, reports the MIT Technology Review.
Once configured remotely, the software was able to do things like send texts, e-mails, post Tweets, take pictures, dial phone numbers, and even reboot the system.
Apple only ran the app for a few seconds during its testing process, the researchers said. And once published to the App Store, the researchers quickly removed it after they were able to successfully install it on their phones.
The methodology and results of the test, which occurred in March, were published this week at the UNSENIX Security Symposium in Washington, D.C.
Apple told the Technology Review it has changed its iOS security since learning of the vulnerabilities detailed in the research, though it's unclear if anything's changed in the company's app screening process. (Credit: Georgia Tech)
This isn't the first time a researcher has slipped malware onto the App Store to prove a point. Charlie Miller, a well-known security researcher (and now Twitter employee) who targeted Apple's products and services for years, did the very same thing in 2011. Miller released a generic stock-checking app called InstaStock that could tap into his own server and grab bits of code. The behavior was grounds for dismissal from Apple's developer program, per the company's App Store guidelines.
Apple has long touted the security of the App Store, with executives going so far as to bash competitors for it. On the eve of Samsung's Galaxy S4 announcement back in March, Apple's marketing chief Phil Schiller tweeted "Be safe out there" while linking to a report from F-Secure, which focused on the rise of Android security threats. Schiller also gave interviews to Reuters and The Wall Street Journal knocking other aspects of the Android platform.
You can read the full paper here (PDF warning).
Apple power adapter security flaw to be patched in iOS 7
Comfoo cyberspy campaign still active
Phishing scam piggybacks on Apple Dev Center hack
Surveillance scandal rips through hacker community
IBM acquires Trusteer to form cybersecurity lab