Mobile // Mobile Devices
Commentary
11/9/2011
12:57 PM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

Apple Bans Researcher For Disclosing iOS Bug

Dr. Charlie Miller, the best known and most prolific outside Apple security researcher, is no longer welcome to write iOS programs.

Apple has expelled researcher Dr. Charlie Miller from the iOS developer program.

Miller, if you don't know, is easily the most famous and successful security researcher for the Mac and iOS platforms. Miller has won many awards for his research and found many important vulnerabilities in Apple's software. Miller doesn't work for Apple; he is principal research consultant for Accuvant LABS, the research arm of security consulting firm Accuvant.

Apple expelled Miller for doing what he does: demonstrating his research. In the video below, he explains and demonstrates a flaw he found in iOS and, arguably, the App Store vetting process, which allows a malicious app to download and execute unsigned code from any arbitrary site.

Normally, code run on the iPhone has to be code signed so that Apple can ensure who wrote it and be able to remove it, but the downloaded code need not be signed. This is a major gap in iOS security.

As Miller makes clear, he created the app that downloads and executes the malicious code. He submitted it to Apple for the App Store and it was published. This is a clear violation of the terms of service for the App Store, so in that sense he knew what he was doing and they have every right to revoke his iOS developer program account.

But this is about as classic a "shoot yourself in the foot" maneuver as I have ever seen. It has become clear in the last 10 years or so that independent research is critical to keeping products secure. Modern software products are just too complicated for vendors to do all the research themselves. Although Apple does do some internal security penetration research on their own products, they have a bad reputation for finding and fixing vulnerabilities quickly. It's not uncommon for them to go years before patching known vulnerabilities.

There's nobody out there who has done as much work in this area as Miller. Apple and their users need him, and Apple would do well to find some way to allow Miller do what he needs to do

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.