Linked by David Adams on Tue 8th Nov 2011 17:03 UTC, submitted by Al Sacco
Privacy, Security, Encryption An iOS security researcher who submitted a tainted iPhone application meant to expose a weakness in Apple's App Store security process has been suspended from Apple's developer program. And rightly so -- he violated clear terms of service. But what does that say about the security of all those random apps on your iPhone, iPad and iPod?
Order by: Score:
...
by Hiev on Tue 8th Nov 2011 17:14 UTC
Hiev
Member since:
2005-09-27

lol

What they should have done is hire the guy.

Edited 2011-11-08 17:15 UTC

Reply Score: 3

Gutsy move
by Alfman on Tue 8th Nov 2011 17:24 UTC
Alfman
Member since:
2011-01-28

I'd be worried that apple men dressed as feds would come to tear my place apart. ;)

Reply Score: 6

RE: Gutsy move
by Thom_Holwerda on Tue 8th Nov 2011 17:26 UTC in reply to "Gutsy move"
Thom_Holwerda Member since:
2005-06-29

I'd be worried that apple men dressed as feds would come to tear my place apart. ;)


Heck even I regularly look over my shoulder.

Reply Score: 3

RE: Gutsy move
by kristoph on Tue 8th Nov 2011 19:46 UTC in reply to "Gutsy move"
kristoph Member since:
2006-01-01

Or better yet, Fed's working for Apple.

Actually this guy could potentially face persecution for doing this. Not that he would deserve it but the pertinent law is so out of whack.

Reply Score: 2

I don't see the problem
by leos on Tue 8th Nov 2011 20:56 UTC
leos
Member since:
2005-09-21

This guy knowingly violated the terms of service of the app store and is then surprised when he gets kicked out?

Good on him for finding the security flaw. Good on him for reporting it to Apple. However that's as far as it should have gone. Sneaking in an app is way over the line, since he has actually compromised real devices.

If he wants to get more publicity he could release the info to the public. Sure, this is a more effective publicity stunt, but the reaction from Apple is totally appropriate.

Reply Score: 2

RE: I don't see the problem
by Thom_Holwerda on Tue 8th Nov 2011 22:03 UTC in reply to "I don't see the problem"
Thom_Holwerda Member since:
2005-06-29

Good on him for finding the security flaw. Good on him for reporting it to Apple. However that's as far as it should have gone. Sneaking in an app is way over the line, since he has actually compromised real devices.


He had to prove his exploit worked. Had he not done this, Apple would've simply said "our review process will catch it, so no problem, now bugger off".

Reply Score: 2

RE[2]: I don't see the problem
by WorknMan on Tue 8th Nov 2011 23:00 UTC in reply to "RE: I don't see the problem"
WorknMan Member since:
2005-11-13

He had to prove his exploit worked. Had he not done this, Apple would've simply said "our review process will catch it, so no problem, now bugger off".


The article says he reported the vulnerability to Apple. I wonder if he got any sort of response before publishing his app ...

Reply Score: 2

RE[2]: I don't see the problem
by rhavyn on Tue 8th Nov 2011 23:01 UTC in reply to "RE: I don't see the problem"
rhavyn Member since:
2005-07-06

"Good on him for finding the security flaw. Good on him for reporting it to Apple. However that's as far as it should have gone. Sneaking in an app is way over the line, since he has actually compromised real devices.


He had to prove his exploit worked. Had he not done this, Apple would've simply said "our review process will catch it, so no problem, now bugger off".
"

In which case the responsible thing would have been to take down the app immediately after it was approved. But he didn't.

Reply Score: 2

RE[2]: I don't see the problem
by leos on Wed 9th Nov 2011 06:33 UTC in reply to "RE: I don't see the problem"
leos Member since:
2005-09-21

"Good on him for finding the security flaw. Good on him for reporting it to Apple. However that's as far as it should have gone. Sneaking in an app is way over the line, since he has actually compromised real devices.


He had to prove his exploit worked. Had he not done this, Apple would've simply said "our review process will catch it, so no problem, now bugger off".
"

And that is their prerogative. The market will punish them if they ignore it and it leads to widespread exploits.

Reply Score: 3

Charlie Miller
by henderson101 on Tue 8th Nov 2011 21:13 UTC
henderson101
Member since:
2006-05-30

Ah.. Charlie Miller is a bit of a meveric. It's also unlikely Apple could entice him on to the payroll, as he is a general Security Researcher, not Apple specific.

Reply Score: 2

Missing the point
by karunko on Wed 9th Nov 2011 09:37 UTC
karunko
Member since:
2008-10-28

To the people saying that Apple did the right thing and he shouldn't complain about the ban: you are missing the point.

We've been told repeatedly that thanks to the review process whatever we download from the App Store is safe. Well, guess what? That is not the case and, think about it, how could it be? Even when the source code is available, auditing software is hard and, even if this was the case, with a gazillion apps on the store and (I suspect) only a handful or reviewers in the staff, how could they possibly catch everything?

In other words: you can't believe everything you hear (even if it comes from Apple) and a bit of caution is still advisable. In this respect iOS is no different from any other other platform: it's safer to stick to well known, reputable developers.

On a more technical note, it seems to me that Miller's application wasn't malware per se: the application behaved normally until he instructed it to download the malicious payload, didn't it?


RT.

Reply Score: 4

Comment by zima
by zima on Tue 15th Nov 2011 23:53 UTC in reply to "Missing the point"
zima Member since:
2005-07-06

What's really curious is how the claims of iOS safety persist despite often quite quick emergence of jailbreak-via-Safari - essentially, a root access exploit when accessing a random website.

Reply Score: 2