Apple expels expert after he exposes software flaw
Apple expelled a highly regarded cybersecurity expert from one of its developers’ programs, stripping him of rights to build software for iPads and iPhones after he publicly demonstrated a flaw in its iOS operating system.
The electronics giant took action after Charlie Miller, a researcher with Accuvant Labs, disclosed that he had figured out a way to build apps that can secretly download other programs that are capable of stealing data, sending text messages or destroying information.
He proved his theory by building a stockmarket monitoring tool called InstaStock, which connected to a server he controlled once it was installed on an iPhone or iPad. He was then effectively able to gain complete control of am infected device. Miller posted a YouTube video of the technique.
He said that several hundred Apple customers had downloaded the free app and that it had connected to his server, but said he had not installed any other software on their devices.
Still, the incident may have proved embarrassing for Apple because its App Store failed to identify that InstaStock was actually a prototype malicious program. That meant there could currently be malware in the App Store that similarly made it past the security vetting process, Miller said.
Officials with Apple declined to comment on the matter in response to several inquiries.
But the company said in an email to Miller sent late on Monday that it was revoking his rights to develop iOS software for the iPhone and iPad, and would no longer distribute his programs through the App Store.
“Apple has good reason to believe that you violated [the iOS developer agreement] by intentionally submitting an App that behaves in a manner different from its intended use,” the email said.
“We will deny your reapplication to the iOS Developer Program for at least a year, considering the nature of your acts,” the letter read.
Miller is a well-known researcher who in 2009 identified a bug in the iPhone text-messaging system that allowed attackers to gain remote control over the devices.
Miller also acknowledged that he had violated the Terms of Service (TOS) of the iOS developers program.
“I doubt the TOS lets me do any of the crap I do. So why boot me now?”
Miller is scheduled to present his detailed research at the SyScan ’11 security conference in Taiwan next week.