News
Researcher booted from iOS dev program over exploit app
By Charles Starrett
Contributing Editor
Published: Tuesday, November 8, 2011
News Categories: Apple, Apps + Games
Security researcher Charlie Miller has been kicked out of Apple’s iOS Developer Program over a proof-of-concept app that Miller released on the App Store. According to Forbes, Miller discovered an exploit that allows apps to call out to an external server that downloads new, unapproved commands onto the device and can execute them at will. Using the exploit, a malicious app could potentially steal a user’s photos, read contacts, make the phone vibrate or play certain sounds, or repurpose normal iOS apps for nefarious purposes. To demonstrate the exploit, Miller submitted and had approved a fake stock ticker program which was available for a time on the App Store, which led to the termination of his developer agreement with Apple.
“This letter serves as notice of termination of the iOS Developer Program License Agreement…between you and Apple,” Apple’s email to Miller read. “Effective immediately.” The email cited the portion of the agreement that forbid him to “hide, misrepresent or obscure” any part of the app. Miller claims that he was only trying to demonstrate the issue, and argues that his past track record should have been taken into account. “I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder,” he told Forbes. “They went out of their way to let researchers in, and now they’re kicking me out for doing research. I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”
Related Stories
- Report: BBM iOS app won’t support iPad at launch
- Report: iRadio might miss WWDC debut
- Fair Labor Assoc.: Foxconn, Apple still exceed work hours
- Cook talks Apple’s taxes ahead of Senate testimony
- Apps: Can Knockdown 3, eBay 3.0/2.3, Jungle Book + Sonic the Hedgehog 2.0
- Apple releases iTunes 11.0.3 with new Mini Player
Comments
If you have a comment, news tip, advertising inquiry, or coverage request, a question about iPods/iPhones/iPad or accessories, or if you sell or market iPod/iPhone/iPad products or services, read iLounge's Comments + Questions policies before posting, and fully identify yourself if you do. We will delete comments containing advertising, astroturfing, trolling, personal attacks, offensive language, or other objectionable content, then ban and/or publicly identify violators.
Recent News
- iLounge Weekly arriving Monday, giveaway reminder
- Report: BBM iOS app won’t support iPad at launch
- Report: iRadio might miss WWDC debut
- Fair Labor Assoc.: Foxconn, Apple still exceed work hours
- CW to bring content to Apple TV
- Moshi debuts aluminum USB Cable with Lightning Connector
- Cook talks Apple’s taxes ahead of Senate testimony
- iLuv intros Aud 5 Lightning speaker dock for iPhone 5
- Apps: Can Knockdown 3, eBay 3.0/2.3, Jungle Book + Sonic the Hedgehog 2.0
- Apple releases iTunes 11.0.3 with new Mini Player
Recent Reviews
- BlueFlame 2M Charge and Sync Cable with Lightning Connector
- HMDX Jam Party Bluetooth Wireless Stereo Speaker
- Logitech Harmony Ultimate Universal Remote Control
- MyCharge Freedom 2000 Battery Case for iPhone 5
- Nike Nike+ FuelBand
- OCDesk OCDock for iPhone 5
- Bluelounge MiniDock (With Lightning Connector)
- Mophie Juice Pack Powerstation Pro
- PhoneSuit Flex Pocket Charger
- Olloclip Quick-Flip Case + Pro-Photo Adapter for iPhone 5
Recent Articles
- Remove old iCloud backup after restoring to a new iPhone
- Setting up a ringtone in iTunes
- Using a Wi-Fi hard drive with an iPad
- Backing up and restoring an iPod classic
- Can’t restore iPod touch without passcode
- Retaining older versions of Apps during an iOS Restore
- Can’t eject iPod nano without closing Firefox
- Can’t change iTunes Apple ID to iCloud e-mail address
- Effect of erasing an iPhone on the Find My iPhone feature
- Organizing video collections on an iPad
1
How long has “don’t kill the messenger” been part of basic human knowledge?
Posted by Code Monkey in Midstate New York on November 8, 2011 at 2:52 PM (PST)
2
I suppose he put Apple in the uncomfortable position of having to enforce the rules. Still seems hypocritical when they’re giving internships to jailbreak developers.
Posted by Paul on November 8, 2011 at 4:25 PM (PST)
3
This was clearly little more than a publicity stunt, at best, since he went about the process in the completely opposite way from which he should have.
He released a rogue app into the App Store back in September, which was approved by Apple and became available to anybody who wanted to download it. He then waited until October 14th to actually inform Apple of the vulnerability.
Even had he been looking to expose a flaw the App Store review process (which shouldn’t be the real point here), he should have set the app for a future release date (developers can decide when to actually “publish” their app once it’s been approved), and then notified Apple immediately after it was approved—not at least two weeks later.
In fact, a more cynical person could come to the conclusion that it was an attempt to actually distribute malware through the App Store under the guise of “security research.”
Posted by Jesse Hollington in Toronto on November 9, 2011 at 9:18 AM (PST)
4
@3: I disagree. I’d argue that he did it exactly right. It was approved, it was available for anyone to download, and nobody, not least of all Apple, noticed. That is the lesson here, and one that no one, particularly Apple, would have gotten from a quiet behind the scenes notification.
Corporations have shown time and time again that they do not respond to being quietly informed about their vulnerabilities. These “publicity stunts” have been shown to be the only reliable remedy against the bean counters.
Next time he’ll be left to do what many other security activists do: just publish the exploit and the code to exploit the exploit for any and all to take advantage of.
Posted by Code Monkey in Midstate New York on November 9, 2011 at 11:36 AM (PST)