An iOS security exploit, unveiled by security researcher Charlie Miller, allows an app to download and execute unsigned code from a remote unknown server. What’s even more astonishing, to prove the exact details of this hack, Charlie Miller developed and submitted an app containing the exploit to Apple. The app was approved and available in the App Store. (It has since been removed, and Charlie Miller has also now been removed from the iOS developer program.)

Miller became suspicious of a possible flaw in the code signing of Apple’s mobile devices with the release of iOS 4.3 early last year. To increase the speed of the phone’s browser, Miller noticed, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, he realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible. (Apple uses other security restrictions to prevent untrusted websites from using that exception to take control of the phone.) The researcher soon dug up a bug that allowed him to expand that code-running exception to any application he’d like. “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Miller plans on demonstrating the exploit at the SysCan conference in Taiwan next week. In the mean time, take a look at the video below which shows the exploit in action. Using the app he can take a copy of a users address book, direct them to a YouTube video or steal photos from the device running the app.

We are sure Apple will be releasing a fix very soon to plug this exploit, now that it is out in the open!

Source: Forbes via Daring Fireball