What happens when you uncover a critical security flaw in Apple’s iOS software, and then inform the company about your discovery?
Just ask Charlie Miller, a St. Louis-based security researcher who discovered a critical flaw in the way iOS handles Javascript that could let hackers remotely access files on an iPhone or iPad, as well as remotely control the device.
After telling the company about the flaw, Miller’s iOS developer agreement was terminated by Apple.
“OMG, Apple just kicked me out of the iOS Developer program,” Miller said on Twitter. “That's so rude! First they give researchers access to developer programs (although I paid for mine), then they kick them out for doing research. Me angry.”
Miller uploaded a proof-of-concept malicious app to the App Store in September. The app would then contact a remote server — in this case, Miller’s computer — to look for further instructions.
In a demonstration video, Miller remotely downloaded his iPhone’s contact list and caused the iPhone to vibrate on command.
The fear is that hackers could exploit the same flaw and upload seemingly innocuous — but in actuality malicious — apps underneath Apple’s nose. Then the cyberthieves might steal all sorts of user data, or issue commands — ”iPhone, call this expensive 1-900 telephone number in the middle of the night” — without users knowing about it. The flaw also calls into question Apple’s ability to spot malicious apps, a problem that has previously afflicted Google’s Android Market.
Miller, a security researcher at information security firm Accuvant, told Apple about the flaw three weeks ago. The malicious app is no longer available on the App Store.
Neither Miller nor Apple responded to request for comment.
“Just found out not only am I kicked out, [but] I can't come back for a year,” Miller tweeted. “1 year suspension.”
Miller acknowledged that uploading a potentially malicious app to the App Store violated his terms of service agreement with Apple, but said, “I doubt the [terms of service] let me do any of the [security research] crap I do. So why boot me now?”
Apple hasn’t addressed the flaw, but it’s expected to be fixed in an upcoming patch.
Just ask Charlie Miller, a St. Louis-based security researcher who discovered a critical flaw in the way iOS handles Javascript that could let hackers remotely access files on an iPhone or iPad, as well as remotely control the device.
After telling the company about the flaw, Miller’s iOS developer agreement was terminated by Apple.
“OMG, Apple just kicked me out of the iOS Developer program,” Miller said on Twitter. “That's so rude! First they give researchers access to developer programs (although I paid for mine), then they kick them out for doing research. Me angry.”
Miller uploaded a proof-of-concept malicious app to the App Store in September. The app would then contact a remote server — in this case, Miller’s computer — to look for further instructions.
In a demonstration video, Miller remotely downloaded his iPhone’s contact list and caused the iPhone to vibrate on command.
The fear is that hackers could exploit the same flaw and upload seemingly innocuous — but in actuality malicious — apps underneath Apple’s nose. Then the cyberthieves might steal all sorts of user data, or issue commands — ”iPhone, call this expensive 1-900 telephone number in the middle of the night” — without users knowing about it. The flaw also calls into question Apple’s ability to spot malicious apps, a problem that has previously afflicted Google’s Android Market.
Miller, a security researcher at information security firm Accuvant, told Apple about the flaw three weeks ago. The malicious app is no longer available on the App Store.
Neither Miller nor Apple responded to request for comment.
“Just found out not only am I kicked out, [but] I can't come back for a year,” Miller tweeted. “1 year suspension.”
Miller acknowledged that uploading a potentially malicious app to the App Store violated his terms of service agreement with Apple, but said, “I doubt the [terms of service] let me do any of the [security research] crap I do. So why boot me now?”
Apple hasn’t addressed the flaw, but it’s expected to be fixed in an upcoming patch.
