Apple developer booted after revealing iPhone exploit

[Leeky]

Security researcher Charlie Miller has been kicked out of Apple's developer program after he revealed details of a security flaw in their iOS operating system. Miller announced the news on his Twitter account yesterday afternoon, saying, "OMG, Apple just kicked me out of the iOS Developer program. That's so rude!" He added, "First they give researcher's access to developer programs, (although I paid for mine) then they kick them out.. for doing research. Me angry."

Charlie Miller is a retired NSA analyst who now works as a researcher for Accuvant and has hacked practically every device made by Apple since 2007. He was responsible for finding the battery hacking vulnerabilities in Apple laptops, and has found and reported countless flaws to Apple in the last few years.

His latest find involves a security hole in iOS that allows applications -- which have been approved and are live on the Apple App Store -- to grab unsigned code from third-party servers. To prove this, Miller created a generic stock checking app that enabled him to tap into his server at home and grab bits of code from his phone, including a list of running processes and the address book. Check out the video below to see it in action:

By submitting his proof-of-concept application Miller violated the Apple App Store Guidelines, specifically sections 3.2 and 6.1 of Apple's iOS Developer Program License Agreement, which cover interfering with Apple's software and services, and hiding features from the company when submitting them. 

As a result, Apple terminated his developer license with immediate effect, sending a very clear message to everyone to keep hands off the App Store whether they are would be hackers or security researchers.

"I don't think they've ever done this to another researcher. Then again, no researcher has ever looked into the security of their App Store. And after this, I imagine no other ones ever will," said Miller in an email to Cnet. "That is the really bad news from their decision." Miller had allegedly alerted Apple about the exploit three weeks ago.

Permalink to story.

https://www.techspot.com/news/46169-apple-developer-booted-after-revealing-iphone-exploit.html

 

[KG363]

"legit applications". Really? Really?

 

[Scshadow]

Typical Apple ignorance. Charlie Miller, go help other platforms that actually welcome information on any potential security exploits.

 

[cliffordcooley]

Seems to me they fired the guy for doing his job.

If that is so, may he show everyone how its done.

 

[Guest]

DUDE, this is great, Screw apple. Go to android help out the free market, bring us more security and eventually show apple what the hell they did wrong. You just do not fire NSA analysts, sorry but that was just stupid. Steve Jobs would not be proud.

 

[MilwaukeeMike]

Umm... normally I like to rip on Apple as much as the next guy, but I don't think they're wrong here. Charlie found a security flaw and to 'test' it he put an app on the App Store that violated the agreement he had signed. It would be like finding a way into a bank vault and then breaking in at night and stealing something to prove it worked. The bank would be mad, just as Apple was mad.

Sounds to me like this Charlie dude did what many hackers do, they show off their work for some attention. Now he's dealing with the consequences. So, Charlie.... Deal with it.

And honestly, who says 'Me angry'?! Who does he think he is? Elmo?

 

[Burty117]

wow, what a stupid move apple, this guy has just shown you a very fundimental flaw with your app store (this brings in alot of money for those in the finance department) and you fire him for A) doing his job and B) helping you fix the app store? How stupid...

 

[cliffordcooley]

And honestly, who says 'Me angry'?! Who does he think he is? Elmo?

Do you honestly think everyone talks the same way? He probably said it that way as a joke and you are taking him seriously.

 

[mario]

Did anyone read the actual story first before commenting? Charlie Miller was not an Apple employee, he's an independent security researcher that got an App approved that could run arbitrary unsigned code using a security exploit, which is prohibited by App Store rules.

Although the news title might lead to confusion, remember it's alway good to read the entire article.

 

[Guest]

Hi,

This is stupid from Apple to ban someone for showing then the security flaw. Also he did'nt stole any info from the apps store or any other users:

"To prove this, Miller created a generic stock checking app that enabled him to tap into his server at home and grab bits of code from his phone, including a list of running processes and the address book."

He tap into his OWN server and grab info from his OWN phone. This was to prove to Apple that the flaw exist, not to hack any other person info.

This is a bit like the story a while ago about a hacker that got bring to court because he found a flaw in a company security and told them about the flaw. Instead of being happy about someone finding a flaw for FREE and telling them they brought the guy to court.

Apple think there product are perfect and does not contain any security flaw but we all saw that its not the case and when someone show them that they are not perfect they either ban them or bring them to court. Way to go Apple, you are going down slowly but surely.

 

[Guest]

Welcome to ANDROID, Charlie.

We love you. We want you. We don't censor. The "We" of whom I speak is EVERYONE.

Come over from the DARK SIDE, Charlie. Yes, Apple is now BIG BROTHER -- I'm starting to think their 1984 Superbowl commercial was a WARNING of what they would become.

Come on in. Your desk is right HERE, and we all split the cost of coffee over there in the break-room. Carmen Electra has volunteered to be your assistant.

Charlie! It's great to have ya!

 

[Guest]

@Mario : to find a flaw, you have to test it and thats what he did!
no he wasnt an employe, but he did something good for them. i mean, he could have sold or used this exploit, but instead, he reported it to apple. and they answered as d1ck$ to him.

 

[mario]

I'm not saying that what he did is wrong, I'm just saying the App Store has a policy and if you break it you will get your App banned or thrown out of it.

So basically Apple pulled an app that could damage your phone or leak your personal data, and all you guys are like hey come to Android we love having that kind of malware on our systems: https://www.google.com/search?gcx=w&sourceid=chrome&ie=UTF-8&q=android+malware

 

[stewi0001]

I guess this is like a 50/50 issue. Thanks for finding this but you broke da rulez

 

[Guest]

LOL@fanboys, i'll go to Android when i stop seeing sketchy screen swipes, handset manufacturers stop preinstalling software you cannot uninstall, and when (at least) 90% of the handsets available running Android can get the same update. Got it? Good.

PS, I don't care if you can root it. that's not the point.

 

[Guest]

mario: So basically Apple pulled an app that could damage your phone or leak your personal data, and all you guys are like hey come to Android we love having that kind of malware on our systems

Did you read this part, mario? > To prove this, Miller created a GENERIC stock checking app that enabled him to tap into HIS SERVER AT HOME and grab bits of code from his phone, including a list of running processes and the address book.

Nothing got pulled. That implies it was approved. The APPLICATION was rejected. It was his proof-of-concept application, not something he was looking to make money off of. I'm with Miller. I think he did tell Apple about it prior, and when they ignored him, he created an app to prove what he was saying, and all you (mario+readers) hear is, "someone can get my data? damn you Miller!", when you should be saying, "damn you Apple for not listening to Miller."

 

[Jos]

Guest: Actually, the application was approved but subsequently pulled after he made the security hole public. If you watch the video, Miller downloads it from the App Store. He made it to demonstrate the flaw and not for any malicious purpose... I don't think mario or the article implied otherwise.

 

[Guest]

Well mario did say Apple did us a favour, when that is not the case at all. Okay Miller downloaded it from the app store, but he did it to show what he was saying about the exploit was true.

 

[Guest]

The problem is not that is application was pull off but the fact that Apple kick him out of the program entirely.

 

[Guest]

Yes but he let apple know so it would be like breaking into a bank, anfd then phoning the bank to prove that you could do it, while I agree he did violate his contract apple is wrong in this regard as they have always gone on and on about how OS X, IOs are immune to malware, viruses and would probably not believe anyone informing them otherwise

 

[Guest]

Seems that the spirit of Jobs is still alive and well...

 

[Burty117]

I watched the video again and he rick rolled himself

 

[negroplasty]

I guess Apple, like its users, would rather bury its head in the sand.

 

[amstech]

The people overseeing the technology don't understand it, and make poor disiplinary decisions.
Been happening for 20 years or so. Even at Microsoft and Apple.

Or they are just being harsh.

 

[MrAnderson]

They should hire people to do exactly what he is doing on a replicated version of the production environment. I?m not surprised and actually do not disagree with Apple's reacting. He violated the terms or contract. If they don?t act, it will only illustrate that they don?t take the production environment seriously. This adds somewhat to the level of security. If a developer does do harm, yes there will be some people that are victimized, but when caught that developer could find him/herself in serious poo-poo. Moreover, lepers on the ?golden? platform - a deterrent no less I'm sure.