Apple critics have long complained about Apple’s walled garden policy that severely restricts the ability of just anyone to develop an app for the iPhone and then sell it. You need to play by Apple’s rules if you want to get inside the so-called garden. This policy may be generating some negative spin for Apple but by all accounts it does work. Apple does make sure that any app that enters the fold and is sold at the App Store is safe for everyone to use. But that assurance has been tarnished with the exposure of a security hole that allows an app that passed Apple’s review to turn rogue.
The vulnerability was revealed by Charlie Miller, an Apple security researcher. The app Miller developed was an innocuous looking stock checking app that communicates with a server located in Miller’s home. The app was reviewed by Apple and was deemed safe. It was made available in the App store. The shenanigan happens after the app is downloaded. The app’s code gets updated remotely and from here on in the app will be able to gather information stored on the phone and send it back to the server. The bad news is that the phone user won’t even have any idea that this is happening because it occurs in the background. The app takes advantage of a security hole in the mobile Safari app that will allow apps to run a code that has not been approved by Apple.
Apple has removed the app from the App Store and has also removed Miller from the Apple developer program.