A software flaw in Apple iOS may allow hackers to build apps that secretly install programs to steal data, send text messages or destroy information, according to an expert on Apple device security.
Charlie Miller, a researcher with Accuvant Labs who identified the problem, built a prototype malicious program to test the flaw.
He said Apple's App Store failed to identify the malicious program, which made it past the security vetting process.
There is as yet no evidence that hackers have exploited the vulnerability in Apple's iOS software.
But Miller said his test demonstrated that there could be real malware in the App Store.
"Until now you could just download everything from the App Store and not worry about it being malicious. Now you have no idea what an app might do," Miller said.
Miller said he proved his theory by building a stock-market monitoring tool, InstaStock, that was programmed to connect to his server once downloaded, and to then download whatever program he wants.
(To see a YouTube video demonstration of the technique, go to http://www.youtube.com/watch?v=ynTtuwQYNmk)
Apple did not respond to requests for comment.
Miller, who in 2009 identified a bug in the iPhone text-messaging system that allowed attackers to gain remote control over the devices, said that he had contacted the company about the vulnerability.
"They are in the process of fixing it," he said.
Miller is scheduled to present his detailed research at the SyScan '11 security conference in Taiwan next week.
(Reporting by Jim Finkle; Editing by Gary Hill)
Copyright Reuters. Click for restrictions.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.