iOS developer exposes security flaw, gets blacklisted
December 29, 2011
Apple has effectively blacklisted respected security researcher Charlie Miller after he discovered and reported a potential vulnerability with iOS apps. Exploiting the flaw (subsequently patched by Apple), Miller created an app that made it possible to steal data from, and take control of, other iOS devices. Further, Miller managed to get the app through Apple's approval process.
Though the version of Miller's InstaStock app - ostensibly a stock market tracker - submitted to the App Store contained no overtly malignant code, it was capable of downloading and running additional unsigned code from a remote server once installed on a user's device. The app demonstrated that, prior to the iOS 5.0.1 update, it was possible for iOS apps to access and execute rogue code from third party sources that it was impossible for Apple to verify.
In a demonstration of the app in a YouTube video (uploaded back in September), Miller downloaded the app as would have been approved by Apple, presenting the user with straightforward stock market data. Having deleted the app, Miller made a "payload" of code available on a remote server and re-downloaded his app from the App Store - a necessary step since Miller had designed his app to only download additional code on its very first use. On this occasion, the app immediately rickrolled the user at launch - a benign enough experience, but as Miller points out, the code - unreviewed by Apple - "could have done anything."
With a second payload demonstrated by Miller, he was able to control an iPhone running the device from a command line on the remote server. From the command line Miller was able to view the iPhone's files and processes, make the phone vibrate, and copy its address book data.
Though Apple credits Miller for highlighting the flaw, he received an email in early November giving notice of the termination of his iOS Developer Program License Agreement mere hours after making his findings known - though interestingly, more than three weeks after making the issue known to Apple.
As Miller has freely admitted, he did violate the terms of the developer agreement and as such Apple is entitled to terminate it. But with his track record, Miller argues Apple has been short-sighted. "I report bugs to them all the time," he told Forbes. "Being part of the developer program helps me do that. They're hurting themselves, and making my life harder."
Though Apple has addressed the specific issue, and putting to one side the rights or wrongs of Miller banishment to app-development limbo, his story again raises questions as to the thoroughness and consistency of Apple's arcane app approval process.
Miller's video demonstrating the vulnerability prior to Apple's patch (and when the app was openly available on the App Store) is below.