Developer sneaks in an app revealing iOS security flaw, gets kicked out of dev program

Developer sneaks in an app revealing iOS security flaw, gets kicked out of dev program
Mac hacker Charlie Miller found out an exploit in iOS which would allow apps to download malicious code after their App Store acception, but in order to prove it he decided to actually submit the application. Everything went as expected, except for one little thing – Apple pulled the developer out of its iOS developer program right after it found out about the malicious software.

A rude way to address someone who actually revealed a security threat to the system? Not exactly as this is technically a violation of Apple's policies. Miller could have avoided that if he'd share the found exploits with Apple instead of just demonstrating it in their store. If the developer chose to do so, Apple would have had to respond within 5 days and only then the issue could be made public. But we still find this a bit too harsh given the fact that the developer didn't actually use the vulnerability, but rather brought to Cupertino's attention.

Miller's application was masked as Instastock, a stock app, and yesterday the developer released a public video showing off the exploit, which uses an exception in iOS versions 4.3 and later. The code he ran uses that exception to run unsigned code and can be expanded to other apps. He demonstrated the effects by remotely playing a YouTube video, enabling vibration on the iPhone and downloading all phone contacts.

Microsoft quickly jumped on the Miller PR ship by inviting the hacker to Windows Phone's dev program. Miller may or may not accept, but this gives an interesting angle at dev relations at both companies.

Finally, there are two ways to look at this story. The first and most obvious one is that Apple's iOS platform – just like any other platform – has its flaws and is not 100% secure. The second however is that Apple is acting swiftly to keep its OS clean and so far it seems that this level of protection yields good results, especially on the background of various reports about Android's openness to attacks. What do you make of it?

source: Gizmodo

FEATURED VIDEO

11 Comments

1. android_hitman unregistered

finally someone proved that apple is not so bulletproof as they think

8. iKingTrust

Posts: 716; Member since: Jul 27, 2011

finally? Anyone with a brain knows that there is nothing as totally secure.

2. ivanko34

Posts: 617; Member since: Sep 04, 2011

Excommunicated of the apple church of bugology

4. paulyyd

Posts: 340; Member since: Jan 08, 2011

sweet analogy bro

3. protozeloz

Posts: 5396; Member since: Sep 16, 2010

I think It might have not been so smart to do so. anyways I know people who would like to have him on their team, he is more than welcome to join XDA

5. ibap

Posts: 867; Member since: Sep 09, 2009

"acception"? Does no one review these things before they're posted?

6. remixfa

Posts: 14605; Member since: Dec 19, 2008

way to go MS for trying to capitalize on an opportunity to pick up someone smart enough to find long existing security flaws that no one else could. How long has iOS 4.3 been out and noone has noticed? Like normal, I think apple way over reacted. But, such is apple.

7. Sniggly

Posts: 7305; Member since: Dec 05, 2009

Wait... Google acts just as swiftly to get rid of malicious attacks and apps. Why put them down in this article?

9. blackrose

Posts: 48; Member since: Apr 15, 2011

actually the guy told apple about it 3 weeks before it went into the app store and they choose not to pay any mind

10. downphoenix

Posts: 3165; Member since: Jun 19, 2010

Im sure this dev DID share this information with Apple and Apple either did not acknowledge him or said that he was wrong. So he had to prove them he was right. Way to treat a developer. Hope he's smart and sticks with android or windows from now on instaed of fighting the ban.

11. gaby1451

Posts: 119; Member since: Mar 30, 2011

Hey Victor, When you said, "Miller could have avoided that if he'd share the found exploits with Apple instead of just demonstrating it in their store." He actually did do just that. According to Engadget Mobile, "He [Miller] told CNET that he alerted Apple to the exploit three weeks ago, however it's unknown whether or not a fix for the problem is included in the new 5.0.1 version of iOS that's currently in testing." Still, rules are rules I suppose... http://www.engadget.com/2011/11/07/charlie-millers-latest-ios-hack-gets-into-the-app-store-gets-h/

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.