backtop


Print 38 comment(s) - last by SkullOne.. on Nov 9 at 2:43 PM

Ban first, ask questions later

Many companies like Google Inc. (GOOG), Microsoft Corp. (MSFT), and the Mozilla Foundation reward developers with bounties of thousands of dollars for finding and exposing security flaws in their products.  Apple, Inc. (AAPL) rewards developers by kicking them out of the company's development program.

I. Tell Apple Its Security Problems, Get Kicked Out
 
Long-time Mac and iDevice hacker Charlie Miller [1][2][3] found this out the hard way this week when Apple unceremoniously revoked his developer privileges.
 
The incident occurred after Mr. Miller created an app called Instastock, which carried out a proof-of-concept attack using a bug he found in the iPhone's built-in Safari browser.  Safari, from iOS 4.3 onward, apparently was allowing unsigned code to be placed in memory and run.

Code signing is the biggest line of defense for iPhone owners.  Any app installed on the iPhone must first receive a special authorization (signature) from Apple via the App Store submission process.  While it is quite popular to turn off Apple's code signing protections in order to "jailbreak" iPhones -- allowing banned apps and forbidden customizations -- the exploits that allow this to be done also potentially allow malicious code to be executed.

For that reason, rather than gifting his discovery on the jailbreaking community, Mr. Miller instead opted to carefully test his discovery and then approach Apple about it.

Charlie Miller
Apple has banned Charlie Miller for exposing its flaws. [Source: YouTube]

Testing began with his Instastock app, which using the exploit performed innocous proof-of-concept mischief that would typically be forbidden, such as making the phone vibrate, downloading the contacts list to an attached computer, or launching an external YouTube video.

Instastock
Instastock, Mr. Miller's app, masqerades as an innocous stock tracking app [Source: YouTube]

Mr. Miller then approached Apple, giving the company fair warning and a chance to fix the bug before he published his findings at the SyScan conference in Taipei (Nov. 17-18).  Rather than politely compensate Mr. Miller for finding their mistake and warning them before a malicious party found it and attacked users, Apple instead reacted quite negatively to these developments.
 

Apple pulled Mr. Miller's app from the App Store -- which was pretty understandable given that while it wasn't doing anything outright malicious, it was using unauthorized functionality.  But what it did next was far more troublesome -- it kicked Mr. Miller out of its developer program, citing violations in the developer terms of service.

II. The Boot

Apple wrote Mr. Miller (via CNET):

From: appledevnotice@apple.com
Subject: Notice of Termination
Date: November 7, 2011 4:49:34 PM CST
To: [redacted]

Dear Charles Miller:

This letter serves as notice of termination of the iOS Developer Program License Agreement (the "iDP Agreement") and the Registered Apple Developer Agreement (the "Registered Developer Agreement") between you and Apple, effective immediately.

Pursuant to Section 3.2(f) of the iDP Agreement, you agreed that you would not "commit any act intended to interfere with the Apple Software or related services, the intent of this Agreement, or Apple's business practices including, but not limited to, taking actions that may hinder the performance or intended use of the App Store or the Program". Further, pursuant to Section 6.1 of the iDP Agreement, you further agree that "you will not attempt to hide, misrepresent or obscure any features, content, services or functionality in Your submitted Applications from Apple's review or otherwise hinder Apple from being able to fully review such Applications." Apple has good reason to believe that you violated this Section by intentionally submitting an App that behaves in a manner different from its intended use.

Apple may terminate your status as a Registered Apple Developer at any time in its sole discretion and may terminate you upon notice under the iDP Agreement for dishonest and misleading acts relating to that agreement. We would like to remind you of your obligations with regard to all software and other confidential information that you obtained from Apple as a Registered Apple Developer and under the iDP Agreement. You must promptly cease all use of and destroy such materials and comply with all the other termination obligations set forth in Section 12.3 of the iDP Agreement and Section 8 of the Registered Developer Agreement.

This letter is not intended to be a complete statement of the facts regarding this matter, and nothing in this letter should be construed as a waiver of any rights or remedies Apple may have, all of which are hereby reserved. Finally, please note that we will deny your reapplication to the iOS Developer Program for at least a year considering the nature of your acts.

Sincerely, Apple Inc.

Mr. Miller quickly fired off a post to Twitter, commenting:

OMG, Apple just kicked me out of the iOS Developer program. That's so rude!

The post drew the sympathy of Microsoft developer relations officer Brandon Watson who offered Mr. Miller a free developer subscription on Microsoft's Windows Phone platform, writing:

Hey #0xcharlie, sorry iOS credentials went missing. Want a free Windows Phone dev account? #wpdev folks love the platform.

Of course Mr. Miller is likely going to keep on hacking Apple devices, but the Microsoft post is a clever bit of PR in that it helps illustrate the major difference in approach between Apple and Microsoft -- or Apple and most software firms, for that matter.

This incident isn't terribly surprising for a company that reportedly ordered its employees to lie to customers about malware and who steadfastly insists that its devices are too "magical" to be vulnerable to traditional attacks.

Sources: Charlie Miller, Brandon Watson (Microsoft), CNET



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Interesting turn of events
By Brandon Hill (blog) on 11/8/2011 9:30:57 AM , Rating: 5
First of all, Apple has every right to drop kick a developer that circumvents their app store policies which Miller obviously did here.

However, it appears that Miller contacted Apple three weeks ago regarding this issue and didn't hear anything back. At that point, Miller went public which no doubt embarrasses Apple on this issue.

Apple gambled and it lost. Miller will be alright.




RE: Interesting turn of events
By wickyman on 11/8/2011 9:47:28 AM , Rating: 3
While I personally agree with the actions Mr Miller has taken, I also agree Apple had the right to proceed as they did. The right course of action tends to be contact the company who owns the effected software and if they show no interest then you release the code so that the public is aware of the issue.

However, even though many of us would agree with this "procedure" as it is kind of par for the course with such exploits, you don't get immunity. You make the choice to live with the consequences because you feel public knowledge of the security threat is big enough that the owner needs to be compelled to fix it.

But honestly, it doesn't surprise me such notices don't get acknowledged very often. Very few companies have a department set up for users or devs to contact with the reporting of exploits in mind. Typically its some multifunction complaint/help line set up for users or devs who need help. Even if you ask to speak with a manager they may not even know who to report to.

Intel is the only company that has ever had an engineer call me back after tech support was unable to answer my questions. Though the engineer had not come across the issue I was having, he later called back saying he had recreated the issue and a fix was put in place. More companies need to take action like that if they want to avoid situations like this.


RE: Interesting turn of events
By michael67 on 11/8/2011 11:32:23 AM , Rating: 3
My first PC was a Apple II, have also owned a Macintosh and some other nice Apple products.

But behavior like this is why i Tuned out of the Apple experience.

But then there are enough other iDiots that like Apple products, so don't think they mind me tuning out.
http://www.bbc.co.uk/news/business-13416272


RE: Interesting turn of events
By B3an on 11/8/2011 3:39:46 PM , Rating: 2
That video is truly sickening.


RE: Interesting turn of events
By wired00 on 11/8/2011 8:18:54 PM , Rating: 2
my god.


RE: Interesting turn of events
By DeluxeTea on 11/8/2011 10:29:00 PM , Rating: 2
Reminds me of a religious cult who likes to drink killer Kool-Aids.


RE: Interesting turn of events
By JasonMick (blog) on 11/8/2011 12:14:08 PM , Rating: 5
quote:
While I personally agree with the actions Mr Miller has taken, I also agree Apple had the right to proceed as they did. The right course of action tends to be contact the company who owns the effected software and if they show no interest then you release the code so that the public is aware of the issue.

I agree with you in a very limited capacity.

Did Apple have the RIGHT to ban Mr. Miller for his actions?

Absolutely. He violated Apple's restrictive terms of service.

But to recap what happened here in a general sense:

1. Security research turned dev. finds dangerous bug.
2. Security researcher reaches out to Apple with findings.
3. Apple refuses to fix the problem.
4. Security researcher submits a dummy app to prove that exploit is possible.
5. Security researcher approaches Apple a second time with proof the malicious apps can be approved via the App Store process.
6. Apple refuses to fix the flaw and bans the dev.
7. Dev. goes public.

Virtually no major software company has as much of an anti-security mindset as Apple these days. The last company I can think of that was that resistant to fixing glaring flaws in its products was AOL in the 90s ... and we all know how that ended up.

The real question people should be asking here is not "Was Apple within its rights to ban the dev?", but rather "Was Apple behaving responsibly and protecting its customers?"

The answer to the latter question appears to be a resounding "no".

Google, Microsoft, and every other major smartphone maker BESIDES Apple all encourage security researchers to become developers and test their platforms' security. Apple is the only one of the major players to ban security professionals from its platform and refuse to fix vulnerabilities until they've been widely publicized in the blogosphere.

Apple's approach is utterly abusive to the end user. It can and will lead to some customers seeing avoidable financial or reputation damage, mark my words. But I guess to an extent buyer beware. If you buy a product from a company that blatantly doesn't care about its users, you get what you asked for.


RE: Interesting turn of events
By MrBlastman on 11/8/2011 1:26:17 PM , Rating: 2
Bite the Apple and refuse to swallow it... and you'll soon find that you've been spit out.


RE: Interesting turn of events
By Fritzr on 11/8/11, Rating: -1
RE: Interesting turn of events
By blankslate on 11/8/2011 2:31:38 PM , Rating: 5
Microsoft would actually have started work on a solution to the security hole and sent the person or security company who found the flaw confirmation that they were doing so.

MS probably also would have asked the developer for a bit of time before showing how the flaw worked until after a fix was worked out.

Only Apple can get away with trying to ignore the problem then kicking a developer who won't let them ignore the problem that he called to their attention for 6 months or so.


RE: Interesting turn of events
By wickyman on 11/8/11, Rating: -1
RE: Interesting turn of events
By Samus on 11/8/2011 1:42:12 PM , Rating: 4
It's not so much a focus on Miller getting the boot, but a focus on Apple's unwillingness to acknowledge flaw, and dignify their developers with even a response.

I agree with Mr. Miller, that is RUDE.


RE: Interesting turn of events
By cochy on 11/8/11, Rating: -1
RE: Interesting turn of events
By blankslate on 11/8/2011 11:46:57 AM , Rating: 2
quote:
He could have approached this differently.


Apparently he notified Apple of the exploit and then waited for a reply from them acknowledging the issue and that they were working on it.
We know from past experience that Apple has become aware of a security issue and ignored it for months before fixing it.
Apple even instructed tech support employees to pretend a piece of malware didn't exist instead of helping callers remove it.

Considering Apple's attitude of pretending to the general public that security problems affecting Apple products are fairy tales, I don't blame Charlie Miller for uploading the proof of content app after giving Apple a few weeks to fix the problem (even if just temporarily.

Apple could have approached this differently and they damn well should have.


RE: Interesting turn of events
By Fritzr on 11/8/11, Rating: -1
RE: Interesting turn of events
By blankslate on 11/8/2011 2:23:37 PM , Rating: 2
It seems to me that you're ignoring the point that Apple has a demonstrated propensity to ignore security problems.

If they had acknowledged the problem and replied to Mr. Miller "Thanks for notifying us of the issue we will start working on it." or "We are aware of the issue please keep this confidential while we work on a solution."

From what I understand from reading interviews with Charlie Miller; if Apple had replied with acknowledgement of the problem and actually devoted the required resources to fix it in a timely manner he would've waited until after Apple fixed the problem to go public with how he discovered the problem.

You are right Apple had every right to ban Charlie Miller after he uploaded the app.

However, in this case Jason Mick is also right
quote:
The real question people should be asking here is not "Was Apple within its rights to ban the dev?", but rather "Was Apple behaving responsibly and protecting its customers?"


Apple has shown in the past and in this case that they don't behave responsibly when it comes to protecting it's customers from people who might attempt to exploit Apple products.


RE: Interesting turn of events
By Solandri on 11/8/2011 3:49:43 PM , Rating: 5
quote:
These three were triggered by his official submission of an app to be included in the AppStore following review of the app and the supporting documentation.

The app was submitted & approved based on the description supplied to Apple -- important information was omitted from that application. This is a violation

The app was DESIGNED to use functions in a manner not permitted by the TOS or mentioned in the description of the app's behavior. This is a violation

The developer used flaws in Apple's software to perform functions not permitted by the TOS. This is a violation.

Unfortunately, because Apple controls the only way to get apps signed and onto your iPhone, the only way to get an exploit like this tested is to violate the TOS. The reason the TOS prohibits the activities you listed is (ostensibly) to keep App Store users safe. The reason Mr. Miller submitted the software to test the exploit was to keep App Store users safe. He violated the letter of the TOS to uphold the spirit of the TOS.

If Apple truly believes in keeping its users safe, it should have seen that, thanked him, and fixed the security hole. Booting him from their developer program (assuming it wasn't a mistaken knee-jerk reaction by some low-level underling) indicates that Apple does not believe improved user safety is the true reason for keeping the App Store locked down tight. That there is another reason for keeping it locked down which supersedes user safety.


RE: Interesting turn of events
By fatedtodie on 11/8/2011 9:50:56 AM , Rating: 5
"First of all, Apple has every right to drop kick a developer that circumvents their app store policies which Miller obviously did here."

That is sort of the whole job of the white hat community. I know it SOUNDS bad but in practice without them, DNS would still be broken.

Any company that doesn't listen to white hats and treats them like criminals may need to figure out if tech is the industry it wants to be in, because obviously they dont get it.


RE: Interesting turn of events
By nafhan on 11/8/2011 10:00:40 AM , Rating: 2
It's not totally clear from the article, but I feel like the main issue here is that he uploaded the app to the app store. I'd be willing to bet he wouldn't have been banned if he'd just contacted Apple about the security problem rather than uploading potentially malicious code.

At the same time, Apple may have been better off contacting him before removing his account as he sounds like a talented dev intent on improving Apple's platform.


RE: Interesting turn of events
By Camikazi on 11/8/2011 12:06:38 PM , Rating: 2
He did contact them and Apple being Apple ignored him and the problem, so he went to phase 2 and showed everyone what the security risk was. That is how these guys work, they find the problem, they contact the developer and if the developer ignores them they will bring the issue to light to force the developer to fix the issue. A simple "we are aware of this and will be fixing it soon" from Apple would have avoided this whole issue.


RE: Interesting turn of events
By nafhan on 11/8/2011 2:18:13 PM , Rating: 2
Like I said... not really clear from the article. Good for him, doing that, though.


RE: Interesting turn of events
By xti on 11/8/11, Rating: -1
RE: Interesting turn of events
By SKiddywinks on 11/8/2011 6:31:56 PM , Rating: 2
No, the justification for bashing Apple has been mentioned many times in the comments. So you are either ignoring them, or skipped them and went straight in to posting your opinion (never a good idea).


RE: Interesting turn of events
By djc208 on 11/8/2011 12:01:40 PM , Rating: 2
quote:
Apple gambled and it lost.


There was no gamble, the minute they decided to respond this way they lost. It's just a matter of how much.

We've all fumed and complained at the PR train Apple has most of it's users riding. This is just part of that culture. The issue won't make it any higher than tech news sites, and the majority of the Apple-loving public will be oblivious to these issues and business will go on as usual.

Is Apple allowed to do what it did? Absolutely, but this little splash of bad PR is beneath most of the Apple-buying public and so it doesn't hurt Apple much from a PR stance. It hurts them technologically, but while Apple is innovative it's never really been techologically superior anyway, they're just really good at marketing themselves that way.


RE: Interesting turn of events
By Boze on 11/8/2011 12:54:07 PM , Rating: 2
Its not beneath the Apple-buying public, its above them.

As it happens, that's part of the problem.

Users should be more educated about the potential pitfalls that this application represents.


RE: Interesting turn of events
By FITCamaro on 11/8/2011 12:03:19 PM , Rating: 3
What happened here is exactly what is wrong with Apple. Their attitude is shit and of the opinion that "we are perfect".


"This is about the Internet.  Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki