Apple has a pretty strong approval process in place for apps on their mobile phones and tablets, or at least they thought they did. It turns out that a security flaw in iOS allows a trusted and approved app to download potentially malicious code.
The security flaw exists in iOS 4.3 and higher and was recently discovered by hacker Andy Miller. What Miller discovered was that in order to speed up the mobile version of Safari, Apple allows javascript to run at a deeper level than in previous versions of iOS. It turns out that there was actually an exception, created by Apple, which allows the browser to run unapproved code right in memory.
Miller exploited this ability to allow his approved test application to download code from another source once it was loaded onto the device. The short version of all of this is that an app could be created and approved because it has no offending code in it at all. Once the app is loaded onto a device, it could then reach out to a central server, download malicious code, and control a number of features like address book access or location services.
Miller's InstaStock app has already been pulled from the App Store by Apple but there is a video out there demonstrating the concept. Aside from pulling the app, Apple hasn't formally responded to this. Hopefully they will release whatever fix is necessary to close up this security hole, but one has to wonder if doing that will make mobile Safari slower.
