Apple Bans Researcher For Disclosing iOS Bug - InformationWeek
Mobile // Mobile Devices
12:57 PM
Larry Seltzer
Larry Seltzer
Connect Directly

Apple Bans Researcher For Disclosing iOS Bug

Dr. Charlie Miller, the best known and most prolific outside Apple security researcher, is no longer welcome to write iOS programs.

Apple has expelled researcher Dr. Charlie Miller from the iOS developer program.

Miller, if you don't know, is easily the most famous and successful security researcher for the Mac and iOS platforms. Miller has won many awards for his research and found many important vulnerabilities in Apple's software. Miller doesn't work for Apple; he is principal research consultant for Accuvant LABS, the research arm of security consulting firm Accuvant.

Apple expelled Miller for doing what he does: demonstrating his research. In the video below, he explains and demonstrates a flaw he found in iOS and, arguably, the App Store vetting process, which allows a malicious app to download and execute unsigned code from any arbitrary site.

Normally, code run on the iPhone has to be code signed so that Apple can ensure who wrote it and be able to remove it, but the downloaded code need not be signed. This is a major gap in iOS security.

As Miller makes clear, he created the app that downloads and executes the malicious code. He submitted it to Apple for the App Store and it was published. This is a clear violation of the terms of service for the App Store, so in that sense he knew what he was doing and they have every right to revoke his iOS developer program account.

But this is about as classic a "shoot yourself in the foot" maneuver as I have ever seen. It has become clear in the last 10 years or so that independent research is critical to keeping products secure. Modern software products are just too complicated for vendors to do all the research themselves. Although Apple does do some internal security penetration research on their own products, they have a bad reputation for finding and fixing vulnerabilities quickly. It's not uncommon for them to go years before patching known vulnerabilities.

There's nobody out there who has done as much work in this area as Miller. Apple and their users need him, and Apple would do well to find some way to allow Miller do what he needs to do

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll