Security researcher publicly displays iOS exploit, gets banned by Apple

By on November 8, 2011
submit to reddit

Exploit was demonstrated by uploading malicious app to App Store.

A security expert, Charlie Miller, recently discovered a security flaw in Apple’s iOS platform, which basically allows developers to run unsigned code remotely on an approved app.

The things is, though, that despite being a White Hat hacker, Miller didn’t inform Apple of this vulnerability directly. Instead, he uploaded a malicious app to the App Store, and once it was authorized on the App Store, he created a video showing how he could run unsigned code that Apple isn’t even aware of, on an app that they have approved.

Obviously the idea is to show how dangerous this can be for consumers, but Apple didn’t take this show lightly. “Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” says Miller. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.

Late yesterday Apple banned Miller from the App Store and the Developers Program. At this point Miller tweeted about the incident by writing, “First they give researcher’s access to developer programs, (although I paid for mine) then they kick them out.. for doing research.

I find it hard to blame Apple on this one, because the ban is justified just on principal alone; Miller clearly violated the App Store agreement by uploading an app whose purpose was to allow malicious content to be run on the iOS device. Furthermore, Miller could have brought this security flaw to the attention of Apple directly, but the manner in which it was displayed showed signs of displaying his hacking skills rather than warn Apple.

As far as uploading the malicious app, Miller tweets, “For the record, without a real app in the AppStore, people would say Apple wouldn’t approve an app that took advantage of this flaw.”

Whether this ban was justified or not, it certainly shows what not to do when a security flaw is discovered in the App Store.


About

From auditing to editing, I now test and analyze the latest gadgets and games instead of the latest financial statements. Both jobs are equally intense and rewarding. When I'm not burning up hardware in the name of science, you'll find me nuking in DOTA 2 or engineering in TF2.

Comments
  • Moe

    But Apple’s lack of adequate security measures have meant that any and all apps can be used for that purpose so they have violated their own terms. If he had informed Apple, would they have made it public? Or would they have sweeped it under the rug until they could fix it in the next update or two? Seems more like Apple feeling embarrassed by this and feel the need to act childish over a major flaw.

Most Read
Most Commented
Competitions
Win two Toshiba AT200 tablets

This festive season Toshiba has 2 tablets to giveaway.

Win an MSI FM2-A85XA-G65 Motherboard

Thanks to MSI we have an great AMD FM2 motherboard to giveaway.

Win a Nokia Asha 311

Thanks to Nokia we have a great entry-level smartphone to giveaway.