Developer exposes critical iOS flaw, Apple revokes App Store privileges
After you read this story, ask yourself: what would be the public response if Microsoft did this?
Apple is apparently unhappy with the security researcher who snuck a malicious app onto its App Store to expose a flaw in iOS, and has kicked him out of its developer program. Accuvant Labs researcher Charlie Miller published financial app InstaStock -- connected to a server that he operated. Miller effectively had complete control of that device, once the user installed the app. The proof of concept is in the YouTube video shown above.
The app was downloaded only a "few hundred" times since its September App Store approval. While Miller had the capability to install software on devices with InstaStock installed, he chose not too. He also had the capability to steal data, send text messages and even delete information on the devices -- all without the users' consent. In other words, he exposed a very big security vulnerability.
Apple did not receive Miller's work well. Although he says he informed Apple of the issue three weeks ago, the Cupertino company decided to remove his developer access over a terms of service violation. "Apple has good reason to believe that you violated (the iOS developer agreement) by intentionally submitting an App that behaves in a manner different from its intended use", Reuters quotes an Apple e-mail addressed to Miller as saying. He is banned from the Developer Program "for at least a year".
Apple shares some culpability here: its much ballyhooed App Store review process failed to detect the malicious intent of Miller's app, and the flaws within iOS are Cupertino's responsibility alone. Either way, the speed at which Apple moved to cut off the researcher is surprising, even to him.
"First they give researcher's access to developer programs, (although I paid for mine) then they kick them out...for doing research", he laments in a tweet on Monday. "Me angry". In a later tweet he adds: "For the record, without a real app in the App Store, people would say Apple wouldn't approve an app that took advantage of this flaw".
Miller's findings may have protected iOS users from legitimate threats. So why is Apple's response so heavy handed? That is unknown -- Apple is not responding to requests for comment on the matter.