November 8, 2011
Security Researcher Booted From Apple’s Developer Program
A software security researcher working with Accuvant Labs, identified a security flaw with Apple´s App Store and for his troubles, had his developer license pulled by the gadget maker, Jim Finkle of Reuters is reporting.
Charlie Miller built a prototype program to test the flaw and it was successfully offered for download by Apple´s site but there is no evidence that hackers have taken advantage of the software flaw through Apple´s mobile operating system.
“Until now you could just download everything from the App Store and not worry about it being malicious. Now you have no idea what an app might do,” Miller told BBC News.
Miller created the proof-of-concept application to demonstrate the security exploit that was already present in the App Store, and had even gotten Apple´s approval for distribution. The exploit was hidden inside a stock ticker program, InstaStock, that could tap into his own server and grab bits of code to show that it worked, Forbes´s Andy Greenberg reports.
This, Apple wrote in a strongly-worded letter to Miller, violated the developer agreement that forbid him to “hide, misrepresent or obscure” any part of his program. Apple immediately revoked Miller´s access to their developers program.
Miller argues that he was only trying to demonstrate a serious security issue with a harmless demo, and that revoking his developer rights is “heavy-handed” and counterproductive. “I´m mad,” he says. “I report bugs to them all the time. Being part of the developer program helps me do that. They´re hurting themselves, and making my life harder.”
“I don´t think they´ve ever done this to another researcher. Then again, no researcher has ever looked into the security of their App Store. And after this, I imagine no other ones ever will,” Miller said in an e-mail to Josh Lowensohn of CNET. “That is the really bad news from their decision.”
Miller has a long history of discovering bugs in Apple´s mobile device security with one of his most high-profile discoveries being a hack for the mobile version of Safari in 2007, shortly after the first iPhone was released.
Recently, Miller detailed that the low-level system software that ships on all of Apple´s recent-model batteries was protected by the same two passwords, letting would-be attackers theoretically disable the batteries given access to an administrator account.
On the Net: