Mobile // Mobile Devices
12:57 PM
Larry Seltzer
Larry Seltzer
Connect Directly

Apple Bans Researcher For Disclosing iOS Bug

Dr. Charlie Miller, the best known and most prolific outside Apple security researcher, is no longer welcome to write iOS programs.

Apple has expelled researcher Dr. Charlie Miller from the iOS developer program.

Miller, if you don't know, is easily the most famous and successful security researcher for the Mac and iOS platforms. Miller has won many awards for his research and found many important vulnerabilities in Apple's software. Miller doesn't work for Apple; he is principal research consultant for Accuvant LABS, the research arm of security consulting firm Accuvant.

Apple expelled Miller for doing what he does: demonstrating his research. In the video below, he explains and demonstrates a flaw he found in iOS and, arguably, the App Store vetting process, which allows a malicious app to download and execute unsigned code from any arbitrary site.

Normally, code run on the iPhone has to be code signed so that Apple can ensure who wrote it and be able to remove it, but the downloaded code need not be signed. This is a major gap in iOS security.

As Miller makes clear, he created the app that downloads and executes the malicious code. He submitted it to Apple for the App Store and it was published. This is a clear violation of the terms of service for the App Store, so in that sense he knew what he was doing and they have every right to revoke his iOS developer program account.

But this is about as classic a "shoot yourself in the foot" maneuver as I have ever seen. It has become clear in the last 10 years or so that independent research is critical to keeping products secure. Modern software products are just too complicated for vendors to do all the research themselves. Although Apple does do some internal security penetration research on their own products, they have a bad reputation for finding and fixing vulnerabilities quickly. It's not uncommon for them to go years before patching known vulnerabilities.

There's nobody out there who has done as much work in this area as Miller. Apple and their users need him, and Apple would do well to find some way to allow Miller do what he needs to do

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of August 14, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.