Apple Kicks Security Researcher Out Of The App Store After iOS Exploit Demonstration

Apple Kicks Security Researcher Out Of The App Store After iOS Exploit Demonstration

photo courtesy of Forbes

We told you a couple of hours ago about security guru Charlie Miller’s new iOS vulnerability that allows an approved App Store app to run unsigned code remotely. Miller has been hacking Apple’s products for years, and this most recent bug is a particularly nefarious exploit that could be used for all kinds of evil purposes.

Charlie Miller is one of the good guys, however, and he is planning to show his cards at the SysCan conference in Taiwan next week. The ends don’t always justify the means in this case, as Apple has now kicked Miller out of the App Store and iOS Developer Program.

In a series of tweets, Miller announced Apple’s swift decision to ban him from the iOS world. Miller demoed his hack via a sleeper app, called Instastock, that he submitted to the App Store. In a video, he demonstrated running unsigned code from his home server on the Apple-approved app.

The bug involves exploiting javascript code in iOS that Apple didn’t secure enough in the latest release of the operating system. Apple touts iOS as being more stable than its competition, like Android, and this bug Miller discovered poses a dangerous threat to Apple’s spotless App Store ecosystem.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” says Miller. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

Since posting the video outlining his hack earlier today, Apple has banned Miller from both the App Store and Developer Program. On his Twitter account, Miller complained that, “First they give researchers access to developer programs, (although I paid for mine) then they kick them out.. for doing research.”

Apple Kicks Security Researcher Out Of The App Store After iOS Exploit Demonstration

As a respected security researcher with a track record of exploiting Apple’s products, one could argue Miller could have reported the exploit to Apple directly instead of planting a malicious app in the App Store. On the other side of the coin, it’s telling Miller got his app through Apple’s review team in the first place.

What do you think? Was Apple justified in removing Miller from the App Store entirely (instead of pulling the Instastock app specifically) and kicking him out of the iOS Developer Program?

Related
  • Mark Plushnick

    well apple had the terms and agreements behind them

  • Alex

    They just alienated their biggest ally in the world of hacking exploits for Mac OS and iOS!  Great job Apple!

  • Techy8789

    :P

    He uses Ubuntu (Linux).  Interesting, given he worked for Apple.

  • Emil Dahlberg

    This is how wars begin. Just poor communications by both parties involved. Should he been stripped of his stripes, no. Should have sat down at the same table and discussed this issue, absolutely, yes.

  • Dave Stephens

    And now they are walking funny…

  • iDaBoss

    Apple has a reputation to uphold. They can’t just let things slide.

  • Daniel Nelms

    I wonder if he bothered to tell them about this before he purposely uploaded an app to the app store with a backdoor in it as proof of concept? I’m not %100 on this but I am pretty sure that violates the TOS.  Apple has a right (and responsibility) to protect it’s users from downloading stuff like this. I think it’s great that he figured this out hole, I just think he went about exposing it the wrong way.  Maybe they should offer him a job, who knows what else he might find?

  • jimmyjame

    Apple is both stupid and arrogant to kick someone that had shown a very basic way (for him anyway) to get an App approved with a back door to it. Apple aren’t doing there job to make sure that iPhone, iPad and im guessing iPod as well are secure. He pointed out something they should have taken on and looked into deeper.

    Apple like any company can be arrogant when it comes down to people showing them there software is not as safe as they might think.

    Stricter checks should be put through apps to make sure there is nothing there that gives hackers this ability. More stricter security in the way App’s have the final approval.

    Given that he didn’t go about it the right way he was “researching” ways of doing what he just did and Apple are just arrogant to the face there operating system is not up there and shown it can be used to allow hackers access.

  • Atienne

    whatever the end, he broke the rules and uploaded a malicious app. 

  • Noemail

    osx is Linux

  • Robert X

    NO it is not Linux. It is BSD. That is a world of difference.

  • kavok

    It’s really starting to get confusing between the iOS App Store and the Mac App Store.  When these blogs are written, could you please clarify which one is being discussed before one has to read half the article to understand what’s going on?

  • Robert X

    It doesn’t matter why. He uploaded malware to the store in violation of the agreement he signed and agreed to abide by.

  • Robert X

    That said, I hope Apple lets him back in.

  • morgan3nelson

    CoM is once again exhibiting negligence in their reporting of details – those pesky little fact based things that seem to get in the way of a sensational story.

    Charlie Miller broke a cardinal rule of the White Hats – always notify the OS manufacturer before bringing to light a vulnerability.

    Not only did he refrain from bringing the vulnerability to Apples attention before his very public display, but he also blatantly broke the rules associated with the Apple Developer Program.  As a result he has been justly banned.

    The manner in which he exposed the vulnerability proves his motives as less than ethical.

  • Andrew Delgado

    He is Robin hood to me, just saying

  • Jeff1741

    The first sentence contains “iOS”.

  • CleverB

    Google’s Android Market is far more exposed, and yet, Google pays developers for exploits to help mitigate the worse exploits that potentially show up.  The idea that Miller publicized the flaw on iOS before notifying Apple seems to be more about self-promotion than security.  Seems he got his wish though.

  • David Michael Gregg

    This is bull. A whitehat needs to be able to demonstrate his concept in order to do his job. And in this case, his concept was that an app with malicious code could *get into the App Store*. This wasn’t just about the Javascript exploit; it was about Apple’s app review system. Apple has again demonstrated that they can’t handle being imperfect. “You can’t beat me! But please try! …oh, you beat me? Well, then I’m taking my ball and going home!” Be mature, Apple: learn from the people who are trying to help make you better.

  • Namarrgon

    What was malicious about it? Did it damage anything?

    I thought it was just a proof-of-concept. If all companies banned anyone who demonstrated security holes (i.e. not abusing them for gain), the world would be a lot less secure than it is now.

  • Namarrgon

    Did he release the details of how to go about exploiting this vulnerability? Or did he just say “there exists a javascript exploit – see, it’s possible”?

    I’m sure Apple would prefer he didn’t embarrass them, but I see no evidence of harm, and they just lost a loyal and effective security researcher.

  • Thelimpidheart

    As a respected security researcher, Miller should have reported the exploit to Apple directly. Planting the malicious app and then creating a video demonstrating himself running unsigned code from his home server was not “Respectable.” He could have easily submitted his finding to Apple. This appears more like bragging than aiding. 

  • Dustin

    Its comments like this that makes baby Jesus cry.  

  • prof_peabody

    Don’t be stupid.  Miller must have expected to be thrown out either temporarily or permanently.  They can’t just not enforce the rules because he’s infamous.  

    Also, re: the article … Yeah, he’s one of the “good guys” but he exposed this flaw in a irresponsible and unprofessional way, and (true to his gigantic ego), did it just to make a splash.  

    He’s great at what he does, but he’s a loose cannon.  You can’t work with people like that.  So far he hasn’t done any harm, and he actually helps for the most part but that doesn’t mean they shouldn’t be very careful around him.  

    He’s not what you would call a team player at all.  He’s someone you’d want to watch like a hawk even if he was your friend.

  • Dustin

    I wonder if one could argue that this was not malware, but rather an experiment.  Given that there as no intent to use the app in a malicious way. 

  • marioyohanes

    Ok so Miller has a good heart by planting an app in App Store that everyone can download and he can do anything he want from that app remotely without Apple’s knowledge? I don’t think so! If you’re a good security researcher or white hat hacker or whatever, you should report your analysis to Apple, not to the whole world through Twitter while God knows how many apps he’d planted in App Store and God knows how many bad things he had done to iOS users!

  • Dilbert A

    this

  • Dilbert A

    “Given that he didn’t go about it the right way…” I guess is anther way of saying that Charlie Miller willfully violated the Apple Developer agreement.

    He had his account closed for that reason, and all your blathering about Apple doesn’t negate that James.

  • ScytheNoire

    Miller: “Apple, you are flawed. Here is what is wrong so you can fix it.”
    Apple: “We are not flawed, we are perfect in every way. You are hereby banned from our Cult! Out with you heathen! Take your hearsay, you blasphemer!”

  • Dustin

    He did demonstrate a legitimate reason for posting this application in the first place.  To prove that I can be done.  Given Millers line of work and video demonstration on youtube, it was pretty obvious there was no malicious intent for this app.  

    But still I can’t read his mind.  I’m just banking on that its pretty stupid to show the world that your software is malicious and then go and use it in a malicious way.  A big part of writing an app like that is to never get caught.

  • Dilbert A

    He did not inform Apple before his action. It was a clear violation of the iOS Developers Program legal agreement that he signed.

    I guess he figured it was more beneficial to got to test and public first. But then again may it all about the press & the lulz. Mose hackers define themselves by their conquest. Just remeber the idiom; as you make your bed, so you must lie upon it.

    At least he not bitching about it like some people on this site, oh wait…

    http://twitter.com/#!/0xcharli

    Charlie Miller@0xcharlie St. Louis, MOI’m that Apple 0day guy

    “no, I thought they’d just remove the app and we’d still be friends.”

    “feels heavy handed, I miss Steve.”

    “First they give researcher’s access to developer programs, (although I paid for mine) then they kick them out.. for doing research. Me angry”

    “OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!”

    “Apple has removed my app from the app store, those bastards!”

    “it’s hard to be an international haxor.”

  • Dilbert A

    It’s Apple’s fault that Charlie Miller willfully violated the iOS dev agreement that he signed?

    Just because I let my neighbor’s kids play in my yard when I’m home, doesn’t mean that he can have a party in my house when I’m not home.

  • SevanGrim

    the thing to realize is that Charlie put the actual flaw out to the world before Aple knew about it. All you “he’s a hero/robin hood/ white hat” people would be singing a different tune if your words with friends app obliterated your ios, erased all your contacts and posted your passwords online in that however many hours Apple wasnt aware/able to fix it.
     
     there is a proses. there is a code. and it separates the boys from the men. or in this case the dudes who get permanently Apple blacklisted from the dudes who get an immediate job doing what they love.

  • Robert Norris Hills

    I hope Miller strikes back and goes Halo on their ass. 

  • SLewAK

    Sounds like Jobs is still alive.

  • iamacat

    What’s the big deal? Apple does’t disassemble your complete binary code, only observes it’s behavior in usual use circumstances on their test hardware. If you want to add hidden functions or implement an interpreter to run code downloaded later, nothing stops you until one of the users rats you out and you get banned.

  • Len Williams

    The problem is that once he demonstrated the vulnerability, it advertises it to other potential hackers and invites them to find and exploit it. Yes, Miller should have informed Apple about the problem prior to going public. He might even have gotten the app approved and posted in the App Store and then informed Apple of what he’d done instead of announcing it publicly. It would have then showed the iTunes team that they need to tighten their security checks for stuff like this. By going public before informing Apple, he unnecessarily put all kinds of iOS users at risk.

  • Elmer5167

    Charlies Miller did warn Apple about the hack, 3 weeks before he posted about this flaw.
    http://www.engadget.com/2011/1

  • Myhandisalwaysnice

    The thing is that Apple Developer License Agreement specifically prohibits executing code remotely.

  • Sam Parmenter

    Yeah, he has explained in plenty enough detail to allow others to replicate what he had done. I believe that he said that it was able to access the system due to iOS allowing their javascript engine low level access to the OS so as to improve performance. This allows him to pipe malicious code into your phone and access parts of the system that would naturally be invisible to the javascript engine.

  • HaHa

    Quite amusing to see all the sheep defending the almighty Apple. If he had exposed a security flaw in a microsoft app store you sheeple would all be talking about what a great guy Charlie Miller is for exposing evil old Microsofts laziness. Instead he’s an unethical loose cannon because he showed the world how vulnerable Apple really is.

  • jnjnjn3

    No. Miller is directly liable for any damage he has done.
    And thats the real deterrent, your not anonymous as an application developer.

    J

  • Rjfilter

    As reported in Forbes:

    “Miller has found and reported dozens of bugs to Apple in the last few years, and had alerted Apple to this latest flaw on October 14th.”

  • Rjfilter

    Apple is acting like a petulant child. Yes, it’s embarrassing but get over it.
    Apple get off your duff and take action. As reported in Forbes:
    “Miller has found and reported dozens of bugs to Apple in the last few years, and had alerted Apple to this latest flaw on October 14th.”

  • HaHa

    What damage? All he did was expose a java exploit that Apple didn’t correct. I fail to see any “damage” he has caused.

  • Robb138

    I think that he had a signed contract stating that he would not put such coding into an app submitted to the app store, but then did just that. On the other hand, I’m a big proponent of the ‘no harm, no foul’ rule. Apple could give him a cease and desist letter, basically saying ‘don’t do this again, or we will be forced to kick you out of the app developer program’. Although he broke a signed contract, it still seems a little knee-jerk to boot a guy for something that didn’t hurt anyone, and may in the long-run help many.

  • Robb138

    But then again, maybe his advertisement of the exploit will actually harm people.

  • George Russell

    Its got ‘iOS’ several times throughout the article :/
    First being in the title…

  • Andy Rink

    There is a simple way to determine if his intent was malicious… What was the payload? Does it brick your phone? Does it upload your personal info?

    In otherwords, does it actually do anything BAD? Doesn’t sound like it, or he would probably be facing charges in addition to his Apple blackballing.

  • acondiff

    I think Apple should have hired him onto their security team. lol.

  • oifbtdt

    Apple was unquestionably justified in exercising their rights under the terms Miller agreed to when he clicked the accept button, while joining the iOS Developer Program. 

    Miller knows this, but decided the publicity would be more personally rewarding for him – and I’m sure he’s right.

  • oifbtdt

    osx is based on Free BSD UNIX, not Linux.   Big difference.

  • Happyclam

    Well, this would be similar to a situation where a cracker broke into a secure system without their authorization. It’s still illegal even  if he only did it to prove that there was a security flaw.

    Follow the steps and contact the developer first. If they don’t do anything about it, then you can pull out the publicity card. This guy broke the rules, pure and simple. He didn’t follow the established rules for reporting a flaw and got burned for it. Now he’s crying about it. Sorry, but no sympathy.

  • Happyclam

    After further reading, I see that he had contacted Apple. However, he did take action without their approval by uploading the software into their app store. He should have waited or played the publicity card of “I found a serious bug but Apple isn’t taking it seriously’ before trying something himself because all it did was open him up to retaliation like this.

  • Mike Pisino

    How else could he mange to figure out if the app would pass the approval process unless he uploaded it?  It sounds like a testing sequence that ended up being a legal issue, but since this guy is a known quantity, I believe he should get a pass.

  • harmo tend

    Javascript

  • ping1973

    Apps store should not approve JavaScript programmer. Updates may change JavaScript anytime.

  • Stevejg61

    he should be kicked out – his app is obviously a fake – Apple does not have security holes in their products – everybody knows this and Apple says it is so

  • Atienne

    he broke his signed agreement and so he got booted. oh well. 

    if you show someone the secret back entrance to a bank vault, but do not go in yourself, you STILL are sure as hell going to jail with them. where as if you call the bank and tell them the back door is open, you might get rewarded. thats the idea of white hat hacking. you always tell the company first before you go public to give them a chance to fix the problem. he did not.

  • Stevejg61

    maybe for once Apple will get off their duffs and fix the bug fast – they have a reputation of fixing things like this very slowly – maybe it takes a real threat to fix things

  • baby_Twitty

    Nah, he’s lucky Apple didn’t sue the pants off him. He could have gotten a tough letter from Apple’s legal team. And we know how difficult they can be dealing with.

    Morally, he should’ve notified Apple of the exploit instead of going public.

    Imagine if Apple would have let him off, other hackers would have used this as a precedent or excuse to exploit and spread malwares through the Appstore. Its a no brainer really.

  • gluefish

    Shoot the guy who demos the fault.  THAT’ll make the fault go away.

  • did

    if he gave Apple 5 Days he had the right to go public with the exploit if Apple did not reach out and address his discovery.

  • leeFX

    Psst. He did… informed them almost a month ago (10-14-11).

About the author

Alex HeathAlex Heath has been a staff writer at Cult of Mac for over two years. He is also a co-host of the CultCast. He has been quoted by places like the BBC, KRON 4 News, and books like "ICONIC: A Photographic Tribute to Apple Innovation." If you want to get in touch, additional contact information is available on his personal site. Twitter always works too.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , , , , |