Yesterday, Charlie Miller released a video about an app that exploited a flaw in Apple’s code-signing on iOS devices, that allowed his app to run malicious code to run on an iOS device. The app was actually submitted to Apple under the guise of a stock market app and managed to get through their vetting process.
When Apple learned of the real purpose of this app, they immediately pulled it from the App Store and later also removed Miller from the iOS developer program. Can’t say this was unexpected as Miller clearly violated Apple’s policies. The right thing to do would have been to contact Apple regarding the flaw and then under the RFPolicy Apple would have had five days to respond to Miller. Had Apple not contacted Miller in those five days only then the issue should have been publicly disclosed. This is essentially what the developers did when they discovered the bug in HTC devices recently. So although Miller pointed out an important flaw in the system, he chose to do it the wrong way.
Still, what this does bring to light is that Apple’s closed system is not 100% secure, as no system can ever be. It’s still far more secure than an open system but at the end of the day there will be flaws and someone will exploit them. Good thing is that it should soon be patched. Till then one should exercise caution while downloading from the App Store.