Security researcher Charlie Miller has been kicked out of Apple’s iOS Developer Program over a proof-of-concept app that Miller released on the App Store. According to Forbes, Miller discovered an exploit that allows apps to call out to an external server that downloads new, unapproved commands onto the device and can execute them at will. Using the exploit, a malicious app could potentially steal a user’s photos, read contacts, make the phone vibrate or play certain sounds, or repurpose normal iOS apps for nefarious purposes. To demonstrate the exploit, Miller submitted and had approved a fake stock ticker program which was available for a time on the App Store, which led to the termination of his developer agreement with Apple.
“This letter serves as notice of termination of the iOS Developer Program License Agreement…between you and Apple,” Apple’s email to Miller read. “Effective immediately.” The email cited the portion of the agreement that forbid him to “hide, misrepresent or obscure” any part of the app. Miller claims that he was only trying to demonstrate the issue, and argues that his past track record should have been taken into account. “I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder,” he told Forbes. “They went out of their way to let researchers in, and now they’re kicking me out for doing research. I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”