An iOS security researcher who submitted a tainted iPhone application meant to expose a weakness in Apple’s App Store security process has been suspended from Apple’s developer program. And rightly so — he violated clear terms of service. But what does that say about the security of all those random apps on your iPhone, iPad and iPod?
lol
What they should have done is hire the guy.
Edited 2011-11-08 17:15 UTC
I’d be worried that apple men dressed as feds would come to tear my place apart.
Heck even I regularly look over my shoulder.
Or better yet, Fed’s working for Apple.
Actually this guy could potentially face persecution for doing this. Not that he would deserve it but the pertinent law is so out of whack.
This guy knowingly violated the terms of service of the app store and is then surprised when he gets kicked out?
Good on him for finding the security flaw. Good on him for reporting it to Apple. However that’s as far as it should have gone. Sneaking in an app is way over the line, since he has actually compromised real devices.
If he wants to get more publicity he could release the info to the public. Sure, this is a more effective publicity stunt, but the reaction from Apple is totally appropriate.
He had to prove his exploit worked. Had he not done this, Apple would’ve simply said “our review process will catch it, so no problem, now bugger off”.
The article says he reported the vulnerability to Apple. I wonder if he got any sort of response before publishing his app …
In which case the responsible thing would have been to take down the app immediately after it was approved. But he didn’t.
And that is their prerogative. The market will punish them if they ignore it and it leads to widespread exploits.
Ah.. Charlie Miller is a bit of a meveric. It’s also unlikely Apple could entice him on to the payroll, as he is a general Security Researcher, not Apple specific.
To the people saying that Apple did the right thing and he shouldn’t complain about the ban: you are missing the point.
We’ve been told repeatedly that thanks to the review process whatever we download from the App Store is safe. Well, guess what? That is not the case and, think about it, how could it be? Even when the source code is available, auditing software is hard and, even if this was the case, with a gazillion apps on the store and (I suspect) only a handful or reviewers in the staff, how could they possibly catch everything?
In other words: you can’t believe everything you hear (even if it comes from Apple) and a bit of caution is still advisable. In this respect iOS is no different from any other other platform: it’s safer to stick to well known, reputable developers.
On a more technical note, it seems to me that Miller’s application wasn’t malware per se: the application behaved normally until he instructed it to download the malicious payload, didn’t it?
RT.
What’s really curious is how the claims of iOS safety persist despite often quite quick emergence of jailbreak-via-Safari – essentially, a root access exploit when accessing a random website.