Apple boots security guru who exposed iPhone exploit
By Josh Lowensohn , CNET News on November 8, 2011 (9 hours ago)
zdnetasia.com
SummaryA prominent security researcher has been ousted from Apple's development programs after publishing research that demonstrated vulnerabilities in the company's mobile app software.
Security researcher Charlie Miller has been ejected from participating in Apple's developer programs, shortly after releasing early findings of a security hole in the company's iOS software.
Miller announced the news on Twitter, saying "OMG, Apple just kicked me out of the iOS Developer program. That's so rude!"
Earlier Monday Forbes' Andy Greenberg published a story featuring Miller, who is a well-known security researcher who targets Apple's products and services. Miller's latest discovery was a security hole in iOS that let applications grab unsigned code from third-party servers that could be added to an app even after it has been approved and is live on Apple's App Store.
To test the feature, Miller released a generic stock-checking app called InstaStock that could tap into his own server and grab bits of code to show that it worked. As noted in our original coverage, such behavior is grounds for dismissal from Apple's developer program, as spelled out in Apple's App Store guidelines.
Apple noted in its letter to Miller that he violated sections 3.2 and 6.1 of Apple's iOS Developer Program License Agreement (a separate agreement), which respectively cover interfering with Apple's software and services, and hiding features from the company when submitting them.
"I don't think they've ever done this to another researcher. Then again, no researcher has ever looked into the security of their App Store. And after this, I imagine no other ones ever will," Miller said in an e-mail to ZDNet Asia's sister site, CNET. "That is the really bad news from their decision."
Apple did not immediately respond to a request for comment on the matter.
Miller has highlighted numerous security flaws within Apple software over the years, with one of his most high-profile discoveries being a hack for the mobile version of Safari in 2007, shortly after the first iPhone was released. Additionally, he's been a fixture at the Pwn2Own security contest to gain control of Apple's Mac OS X computers through the built-in Safari Web browser. More recently, Miller detailed that the low-level system software that ships on all of Apple's recent-model batteries was protected by the same two passwords, letting would-be attackers theoretically disable the batteries given access to an administrator account.
In a tweet, Miller noted that he paid for his development accounts himself, despite the company doling out access to security researchers. |
