Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked
Security researcher Charlie Miller revealed earlier today that he had found an exploit in Apple's iOS software that allows an App to run arbitrary code. Apple generally approves all code that is submitted to the AppStore and forbids the execution of un-approved code, but Miller discovered a way to bypass this restriction. Forbes writes:Miller became suspicious of a possible flaw in the code signing of Apple’s mobile devices with the release of iOS 4.3 early last year.
...
The researcher soon dug up a bug that allowed him to expand that code-running exception to any application he’d like.
Using his method–and Miller has already planted a sleeper app in Apple’s App Store to demonstrate the trick–an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.
Shortly after the news broke, Apple revoked Miller's developer account, citing a breach of the developer agreement.“This letter serves as notice of termination of the iOS Developer Program License Agreement…between you and Apple,” the email read. “Effective immediately.”
Miller plans to present his findings at the SysCan conference in Taiwan next week.Top Rated Comments
(View all)
Charlie is a smart guy who makes some really stupid decisions.
Professional developers disclose issues in iOS to Apple through secure channels all the time without this media madness.
For the record, without a real app in the AppStore, people would say Apple wouldn't approve an app that took advantage of this flaw.
That pretty much explains why he submitted the app for approval.
I have no doubt that many would have said this wouldn't have got through if he simply revealed the flaw without submitting an app.
----------
This makes Apple look pretty bad. And if he had submitted the bug what are the chances Apple would have responded in a timely manner if at all?
He submitted the bug to Apple on Oct 17 according to the source article.
No company or person likes to be exploited. Miller should have revealed the findings instead of trying to take advantage of the flaw.
I guess he should have told apple about it instead of submitting that app
That's what people are supposed to do and actually do. :)
This makes Apple look pretty bad. And if he had submitted the bug what are the chances Apple would have responded in a timely manner if at all?
Are you an Apple developer? Bug reporter is very active and issue like this is treated as DEFCON 1. This is a huge bug when exploited is an unbelievably huge security leak. Apple cannot tolerate to have left this for more than a week as well.
Plus the guy made an app. Submitted it. Got it accepted and placed in the app store. Probably spent a month just to prove his concept.
Great. That's how you get revoked.
On another note, I'd be surprised if Apple doesn't take a stance against this developer as instead of giving this info to Apple, he decided he would make a video out of it and bring some free media hype and undeniable fame. Cool.
Uploading an exploit to a live environment where people can download it? Not cool.
[ Read All Comments ]
Even as Apple is preparing to open its first Dutch retail store in Amsterdam on March 3, the company is moving closer to expanding its international reach even further as it has updated its Swedish...
Following reports yesterday that Apple would open its first Dutch retail store in Amsterdam on March 3, the company has confirmed that date today with emails to customers and a new dedicated store...
The Charlotte Observer reports that a total of 25 iPhones valued at over $16,000 have been reported stolen from Apple's Northlake Mall retail store in Charlotte, North Carolina. While...
German site iFun.de reports [Google translation] that has it has received information from a source "to be taken seriously" claiming that the iPad 3 will debut there on Friday, March 23.
...
AFP reports that Proview Technology has expressed a willingness to work toward a settlement with Apple in the "iPad" trademark dispute in China, even as the company continues to press forward...
