After demonstrating that an app can download malicious code after being accepted into the App Store, developer Charlie Miller found out that his developer credentials were pulled by Apple.
Charlie Miller exposed a threat to the security of iOS devices by creating an app that could exploit a javascript exception in mobile Safari. The exception allowed the download of malicious code after an app has already been accepted into the App Store.
Miller announced that he was removed from the Apple Developer Program via Twitter. Security experts usually share found exploits with the company that is responsible for the flaw. Instead, Charlie created and published an app showcasing the flaw. [Twitter via Cult of Mac]
Joel
Tuesday, November 8, 2011 at 12:29 PMBefore anyone gets all worked up over this, the problem isn’t that he found the code, the problem is that he released an app in the app store which is obviously a clear and big breach of T&C.
Ruen
Tuesday, November 8, 2011 at 12:33 PMYeah, usually I enjoy a good ride on the Apple bashing bandwagon, but in this case he really couldn’t expect anything less. He should have brought the security flaw to Apple’s attention first instead of using the exploit himself, even if it was for less than malicious means.
Kroo
Tuesday, November 8, 2011 at 3:46 PMWell he could have been a hero and brought it to Apples attention, and announced it to Gizmodo, but no, he wrote an exploit into an app, tried to get it passed and have Apple with egg on its face. What the hell was he thinking and what was his motive? Clear breach of the TOA, what did he expect, a nobel prize?
DarkAura
Wednesday, November 9, 2011 at 8:40 AMActually guys, From what i read from most other sites is that he did inform Apple at least 3 weeks before hand and as Apple is Apple they didn’t patch the issue or even show any intent to deal with the issue. Hence he wrote an harmless app which proved the security flaw.
The idea was to create this type of response.
Oh course Giz didn’t mention this, The story should be about the exploit in the app store with doom and gloom.
adam
Tuesday, November 8, 2011 at 12:33 PMHow come in the article before his name was Andy Miller and now it is Charlie Miller?
Jackson Bison
Tuesday, November 8, 2011 at 12:40 PMkeep up – we live in an ever changing society!
Joel
Tuesday, November 8, 2011 at 12:42 PMI heard his name is Charlie Brown now.
Antonia
Tuesday, November 8, 2011 at 12:40 PMYou guys are too quick to judge, especially as we don’t have the full story. How, for instance, do you know that Miller hadn’t been badgering Apple for weeks about the bug only to be fobbed off?
Joel
Tuesday, November 8, 2011 at 12:41 PMYou still make it public, but you don’t release an app in the app store that uses said breach.
If you make it public it will be fixed, no need to exploit it.
Ozoneocean
Tuesday, November 8, 2011 at 2:08 PMNo, he had to check whether the app could get through their checking process so that this flaw was viable. If apps crafted to exploit the flaw couldn’t get into the store then this wouldn’t have been so much of a massive issue.
Richard
Tuesday, November 8, 2011 at 7:20 PMWhat a load of crap. I don’t have to jump off a cliff to know it will kill me just as he didn’t have to release an app exploiting a flaw to prove there was one.
Ozoneocean
Tuesday, November 8, 2011 at 2:06 PMHe had to put the app in the store to test that this was a viable flaw. Kicking him out was of course silly.
This is why security experts have said that iOS is actually less secure in the long run that Android: because it is closed, hackers will work safely in secret with not as many people scrutinising the code, with users completely unaware of any issues, While the open platforms will have a massive community continually working to find and fix these things in collaboration- like Linux.
Blake
Tuesday, November 8, 2011 at 2:52 PMIt’s A and B.
The proof of concept app is reasonable. Saying hey this app, right here can execute mallicous code before you contact apple is not.
Kroo
Tuesday, November 8, 2011 at 3:58 PMSo using your logic, Apple should have passed this knowing in was trying to undermine a flaw in iOS (undermining its own checking and security processes) and waited for Aston Kutcher to come out from behind a tree and say “you’ve been punked”. Yeah, right. At least they have a security checking program unlike Android, or have you forgotten the whole “wallpaper app” scam? Oh, its just “silly” to delist anyone for clearly breaching the developer agreement. Are you an idiot, or just doing an impression of one? Enjoy your android fragmentation (makes you wonder why a fandroid posts on an iOS story? Troll much)
Ozoneocean
Tuesday, November 8, 2011 at 4:04 PMI don’t think you understand the issue here.
He wasn’t exploiting anything or being malicious, this was simply research.
First he found the flaw, then crafted a program that could use it, then he had to test if such a program could get into the ap-store undetected. It’s all part of the same process- researching to see if this was actually as big an issue as he thought it was, and it WAS.
Kicking him out is simply idiotic and was probably done by a low level grunt with little understanding of the issues here.
I’m afraid there’s more at stake than childish reputation control of silly fanboisim here.
Kroo
Tuesday, November 8, 2011 at 7:30 PMFirst rule of a “white Hat” hacker is to bring any exploit to the notice of the OS developer. Simple. Second rule, you don’t then write the exploit into an app and try to get it past the OS developer. He broke two rules. One being apart of the written terms of agreement of the Apple Developers Program, two the White Hats code of disclosure. What were HIS motives?
Richard
Tuesday, November 8, 2011 at 10:43 PM“First he found the flaw, then crafted a program that could use it, then he had to test if such a program could get into the ap-store undetected.”
No. He did not have to get it published. By developing the application he has already proven there is a flaw and can demonstrate the issues. The publishing of it on the App store is a separate process in itself, but does nothing to prove any case about the seriousness of the flaw. It is well known that there are humans involved in the review process, had his App being blocked from submission he wouldn’t have proven that someone else couldn’t submit an application that uses the same exploit but would be missed by another code reviewer.
Uploading the application to the store was a fundamentally flawed test and not one that was needed to determine whether there was a problem in the OS. The problem would exist either way.
Flux
Tuesday, November 8, 2011 at 7:48 PM*sigh* And once again the fanboy arrives. There’s no middle ground here, Kroo? There’s nothing between “kick him out and ban him from touching our ecosystem ever again” and your strawman of passing the app into the app store despite knowing its flaws – somehow involving the use of a TV meme that is like 5 years old now? Seriously, be quiet – grown-ups are talking.
On-topic: The fact is that this guy – a recognised security researcher – was doing his job trying to test Apple’s claim that it was impossible to get unverified code onto iOS thanks to examinations of new apps done by the Security Team, and he did that. The Security Team’s job was to notice his flawed code, and reject it. They didn’t do that.
It’s a lot like the Colonial Mutual thing from a month ago – it’s not the researcher’s fault that the system is flawed, and if corporations choose to attack the bearer of bad news (who has no malicious intent) rather than fix systemic problems then that’s on them. Do I expect the App store to be perfect in its ability to detect dodgy apps? Not at all, I’m an IT guy and I know no system is perfect. I just kinda wish that Apple would stop trying to tell the world they can “clean the web” of all threats, when they can’t. Instead of learning from his work, Apple have sought to hamstring it.
Richard
Tuesday, November 8, 2011 at 11:19 PMExcept other parties have already released apps in the past that allowed the execution of code and being pulled, perhaps not in the exact same manner but the precedence is there and he would have known full well he was breaking the stores rules.
So what if he was well known? The people doing the review likely didn’t know that nor should they have to know the background. The rules are there to prevent malicious activities, and regardless of his intentions he should have abided by them. There are ways to prove the flaw without putting the app into the store, he would have had to test it locally anyway so he already knew it worked. Publishing it was just asking for attention.
Its not his fault the OS is flawed, no. It’s his fault he can’t follow a terms of service agreement but.
Richard
Tuesday, November 8, 2011 at 11:22 PMTo emphasise. If you want to test something, use a debugging tool like EVERY other developer does on a daily basis. Don’t use Apples store as a test bed however. It’s ridiculous to expect there wouldn’t be consequences.
Andrew
Tuesday, November 8, 2011 at 3:33 PMQ: Does iOS have security flaws?
A: Yes.
Q: Can an app with malicious code get into Apple’s app store?
A: Yes.
Q: Can you test that objectively by telling Apple beforehand?
A: No.
Ozoneocean
Tuesday, November 8, 2011 at 4:08 PMThis is it exactly!
Because of the closed, secretive system, the approach he used was the only way to verify this issue. People seem to refuse to understand that getting through the app checking process was part of the problem that needed testing.
Peter
Tuesday, November 8, 2011 at 10:14 PM+1
Thanioti
Tuesday, November 8, 2011 at 6:05 PMDie Crapple
Joel
Tuesday, November 8, 2011 at 11:36 PMDie random Apple hating troll
Evil Stan
Wednesday, November 9, 2011 at 10:21 AMDie WEBOS..oh wait..