We told you a couple of hours ago about security guru Charlie Miller’s new iOS vulnerability that allows an approved App Store app to run unsigned code remotely. Miller has been hacking Apple’s products for years, and this most recent bug is a particularly nefarious exploit that could be used for all kinds of evil purposes.
Charlie Miller is one of the good guys, however, and he is planning to show his cards at the SysCan conference in Taiwan next week. The ends don’t always justify the means in this case, as Apple has now kicked Miller out of the App Store and iOS Developer Program.
In a series of tweets, Miller announced Apple’s swift decision to ban him from the iOS world. Miller demoed his hack via a sleeper app, called Instastock, that he submitted to the App Store. In a video, he demonstrated running unsigned code from his home server on the Apple-approved app.
“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” says Miller. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”
Since posting the video outlining his hack earlier today, Apple has banned Miller from both the App Store and Developer Program. On his Twitter account, Miller complained that, “First they give researchers access to developer programs, (although I paid for mine) then they kick them out.. for doing research.”
As a respected security researcher with a track record of exploiting Apple’s products, one could argue Miller could have reported the exploit to Apple directly instead of planting a malicious app in the App Store. On the other side of the coin, it’s telling Miller got his app through Apple’s review team in the first place.
What do you think? Was Apple justified in removing Miller from the App Store entirely (instead of pulling the Instastock app specifically) and kicking him out of the iOS Developer Program?