Developer Demonstrates Serious Security Breach in iOS, Apple Bans His Account
November 8, 2011 9:06 AM
Ban first, ask questions later
Many companies like Google Inc. (
), Microsoft Corp. (
), and the Mozilla Foundation reward developers with
bounties of thousands of dollars
for finding and exposing security flaws in their products. Apple, Inc. (
) rewards developers by kicking them out of the company's development program.
I. Tell Apple Its Security Problems, Get Kicked Out
Long-time Mac and iDevice hacker Charlie Miller [
] found this out the hard way this week when Apple unceremoniously revoked his developer privileges.
The incident occurred after Mr. Miller created an app called Instastock, which carried out a proof-of-concept attack using a bug he found in the iPhone's built-in Safari browser. Safari, from iOS 4.3 onward, apparently was allowing unsigned code to be placed in memory and run.
Code signing is the biggest line of defense for iPhone owners. Any app installed on the iPhone must first receive a special authorization (signature) from Apple via the App Store submission process. While it is quite popular to turn off Apple's code signing protections in order to "jailbreak" iPhones -- allowing banned apps and forbidden customizations -- the exploits that allow this to be done also potentially allow malicious code to be executed.
For that reason, rather than gifting his discovery on the jailbreaking community, Mr. Miller instead opted to carefully test his discovery and then approach Apple about it.
Apple has banned Charlie Miller for exposing its flaws. [Source: YouTube]
Testing began with his Instastock app, which using the exploit performed innocous proof-of-concept mischief that would typically be forbidden, such as making the phone vibrate, downloading the contacts list to an attached computer, or launching an external YouTube video.
Instastock, Mr. Miller's app, masqerades as an innocous stock tracking app [Source: YouTube]
Mr. Miller then approached Apple, giving the company fair warning and a chance to fix the bug before he published his findings at the
in Taipei (Nov. 17-18). Rather than politely compensate Mr. Miller for finding their mistake and warning them before a malicious party found it and attacked users, Apple instead reacted quite negatively to these developments.
Apple pulled Mr. Miller's app from the App Store -- which was pretty understandable given that while it wasn't doing anything outright malicious, it was using unauthorized functionality. But what it did next was far more troublesome -- it kicked Mr. Miller out of its developer program, citing violations in the developer terms of service.
II. The Boot
Apple wrote Mr. Miller (
Subject: Notice of Termination
Date: November 7, 2011 4:49:34 PM CST
Dear Charles Miller:
This letter serves as notice of termination of the iOS Developer Program License Agreement (the "iDP Agreement") and the Registered Apple Developer Agreement (the "Registered Developer Agreement") between you and Apple, effective immediately.
Pursuant to Section 3.2(f) of the iDP Agreement, you agreed that you would not "commit any act intended to interfere with the Apple Software or related services, the intent of this Agreement, or Apple's business practices including, but not limited to, taking actions that may hinder the performance or intended use of the App Store or the Program". Further, pursuant to Section 6.1 of the iDP Agreement, you further agree that "you will not attempt to hide, misrepresent or obscure any features, content, services or functionality in Your submitted Applications from Apple's review or otherwise hinder Apple from being able to fully review such Applications." Apple has good reason to believe that you violated this Section by intentionally submitting an App that behaves in a manner different from its intended use.
Apple may terminate your status as a Registered Apple Developer at any time in its sole discretion and may terminate you upon notice under the iDP Agreement for dishonest and misleading acts relating to that agreement. We would like to remind you of your obligations with regard to all software and other confidential information that you obtained from Apple as a Registered Apple Developer and under the iDP Agreement. You must promptly cease all use of and destroy such materials and comply with all the other termination obligations set forth in Section 12.3 of the iDP Agreement and Section 8 of the Registered Developer Agreement.
This letter is not intended to be a complete statement of the facts regarding this matter, and nothing in this letter should be construed as a waiver of any rights or remedies Apple may have, all of which are hereby reserved. Finally, please note that we will deny your reapplication to the iOS Developer Program for at least a year considering the nature of your acts.
Sincerely, Apple Inc.
Mr. Miller quickly fired off a post to Twitter, commenting:
OMG, Apple just kicked me out of the iOS Developer program. That's so rude!
The post drew the sympathy of Microsoft developer relations officer Brandon Watson who offered Mr. Miller a free developer subscription on Microsoft's Windows Phone platform, writing:
, sorry iOS credentials went missing. Want a free Windows Phone dev account?
folks love the platform.
Of course Mr. Miller is likely going to keep on hacking Apple devices, but the Microsoft post is a clever bit of PR in that it helps illustrate the major difference in approach between Apple and Microsoft -- or Apple and most software firms, for that matter.
This incident isn't terribly surprising for a company that reportedly ordered its employees to lie to customers about malware and who steadfastly insists that its devices are
too "magical" to be vulnerable
to traditional attacks.
Brandon Watson (Microsoft)
"If a man really wants to make a million dollars, the best way would be to start his own religion." -- Scientology founder L. Ron. Hubbard
Google, Mozilla Bump Top Award for Critical Bugs to $3,000
July 21, 2010, 9:39 AM
Charlie Miller to Unveil 20 Zero-day OS X Exploits at CanSecWest
March 19, 2010, 9:55 AM
Apple's iPhone Executes SMS Binary Code as Root, Fix Won't Come Until End of Month
July 2, 2009, 3:38 PM
Mac Gets The Girl In New Anti-Microsoft Ad
May 13, 2009, 9:33 AM
Apple's Safari Security Woes
March 31, 2008, 12:22 PM
Xiaomi Mi 6 - Flash Sale on April 28 in China
April 26, 2017, 7:45 AM
Apple Watch NikeLab Limited Edition unveiled.
April 22, 2017, 6:20 AM
What is the Apple’s iPhone 8 specifications and release date?
April 14, 2017, 5:43 AM
Xiaomi Mi Pad 3 tablet with Hexa –Core SoC, Android Marshmallow
April 6, 2017, 6:40 AM
Vivo launches V5 Plus IPL edition smartphone
April 4, 2017, 11:10 AM
Samsung S8 and S8 Plus: On Sale April 21 at Major Wireless Dealers
March 30, 2017, 7:35 AM
Most Popular Articles
Surface Pro 5 Rumors - New Release Date and Price
April 22, 2017, 6:45 AM
Apple Watch NikeLab Limited Edition unveiled.
April 22, 2017, 6:20 AM
SAPPHIRE PULSE Radeon RX 580 8GD5 – Great Value for the Money
April 20, 2017, 7:47 AM
Meet the Smartphone with four cameras - Alcatel Flashphone
April 5, 2017, 11:20 AM
Dell Inspiron 17 7000 – A Premium Laptop featuring 7th Gen Intel Core i7 in a 2-in-1 Frame.
April 19, 2017, 7:45 AM
Latest Blog Posts
Galaxy Note 8 – Available Second Half 2017
Apr 28, 2017, 7:30 AM
Google Android App – Huge improvement on Nighttime Photography
Apr 27, 2017, 7:40 AM
Google Co-Founder, Sergey Brin has an Airship
Apr 26, 2017, 6:43 AM
Samsung Galaxy S8 and S8 Plus – Lots of Glass that Breaks Easily
Apr 25, 2017, 7:20 AM
Samsung Galaxy S8 – Warning for Pet Owners
Apr 24, 2017, 5:59 AM
Sound Bars and the Costs?
Apr 23, 2017, 6:30 AM
Link your Brain to Your Computer – In Four Years…Maybe
Apr 22, 2017, 7:03 AM
Google Home can now identify users by their voice.
Apr 21, 2017, 7:15 AM
Amazon Lex – Now Available for Developers.
Apr 20, 2017, 6:58 AM
You can now use Instagram offline on your Android Smartphone
Apr 19, 2017, 8:00 AM
Now you can livestream to YouTube from your mobile device.
Apr 18, 2017, 8:05 AM
Google Home – Is It a Spy Device?
Apr 17, 2017, 7:30 AM
Apple added to self –driving test permit list
Apr 15, 2017, 6:21 AM
Project Scorpio – Coming on June 11
Apr 14, 2017, 6:20 AM
Looks Like Samsung Has Been Forgiven.
Apr 13, 2017, 6:50 AM
United Airlines - Blasted on China’s Social Network and the Stock Market
Apr 12, 2017, 6:50 AM
Amazon's Third-Party Sellers Hacked
Apr 11, 2017, 6:25 AM
Microsoft Surface Pro5 Details Revealed
Apr 9, 2017, 6:41 AM
Own An Android Phone? Then you could be hacked over Wi-FI
Apr 7, 2017, 6:47 AM
Apple confirms iOS 10.3 bug and its effect on iCloud Services
Apr 6, 2017, 6:30 AM
Apple Rolls Out New Version of Apple Music
Apr 5, 2017, 10:35 AM
Apple in the News
Apr 4, 2017, 9:03 AM
More Blog Posts
Copyright 2017 DailyTech LLC. -
Terms, Conditions & Privacy Information