http://www.forbes.com/sites/andygre...curity-bug-lets-innocent-looking-apps-go-bad/
This is NOT good... let's hope Apple releases a fix soon.
This is NOT good... let's hope Apple releases a fix soon.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked
- Thread starter wrldwzrd89
- Start date
- Sort by reaction score
I imagine they are already working on it seen as though they have seen the video, Removed the app and remove him as a developer.
except that this could be used to steal your data and then wipe your phone.
----------
Removing the app makes sense. Removing him as a developer not so much.
He is a security researcher who is basically helping apple and giving them time to fix it before he exposes it next week. Expect them to include a fix in 5.0.1
before it is released.
That is ok. It shows how buggy iOS is.
Apple deserves it for this:
http://www.forbes.com/sites/andygre...per-program-for-proof-of-concept-exploit-app/
That is plain stupid, regarding the future security of the iOS environment.
Last edited:
Yeah, but hearing on the news that "someone released a virus for the iPhone, but the program was removed and the person is no longer a developer", looks much better than "someone released a virus for the iPhone, Apple to release a security update later this month to fix the flaw".
It's all about the marketing...
Maybe but his developer account was a standard account and not a researcher account. He also actively exploited a security flaw.
This. You can't just say "Oh, I'm a researcher" and submit malware to the app store. It shows really poor judgement. Of course, they did hire they guy from the jailbreaking community. But the big difference is that he had no prior agreements with Apple which he broke, and he wasn't actually doing anything illegal. I don't know what Miller was expecting, losing his developer license was inevitable. It's kind of sad, no doubt he's a smart guy ...in the ways of programming.
Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked
![]()
![]()
Security researcher Charlie Miller revealed earlier today that he had found an exploit in Apple's iOS software that allows an App to run arbitrary code. Apple generally approves all code that is submitted to the AppStore and forbids the execution of un-approved code, but Miller discovered a way to bypass this restriction. Forbes writes:
Article Link: Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked
Security researcher Charlie Miller revealed earlier today that he had found an exploit in Apple's iOS software that allows an App to run arbitrary code. Apple generally approves all code that is submitted to the AppStore and forbids the execution of un-approved code, but Miller discovered a way to bypass this restriction. Forbes writes:
Beyond discovering the bug, Miller went a step further and actually had an App submitted to the App Store which took advantage of this bug. The App was approved and was able to perform as expected:
Shortly after the news broke, Apple revoked Miller's developer account, citing a breach of the developer agreement.
Miller plans to present his findings at the SysCan conference in Taiwan next week.
Article Link: Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked
Meanwhile Google is handing out bounties for stuff like this. Because why would you want to get (almost) free help from industry-leading professionals? Submitting it to the App Store probably wasn't the way to go, though.
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; en-gb) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5)
I guess he should have told apple about it instead of submitting that app
I guess he should have told apple about it instead of submitting that app
It's one thing to find a security hole and professionally inform Apple, quite another to write an app to exploit it and announce you will tell the works how to do it in a conference in a week...
Charlie is a smart guy who makes some really stupid decisions.
Professional developers disclose issues in iOS to Apple through secure channels all the time without this media madness.
Charlie is a smart guy who makes some really stupid decisions.
Professional developers disclose issues in iOS to Apple through secure channels all the time without this media madness.
Telling Apple about it? Excellent, have a cookie.
Uploading an exploit to a live environment where people can download it? Not cool.
Uploading an exploit to a live environment where people can download it? Not cool.
swingerofbirch
macrumors 68040
This makes Apple look pretty bad. And if he had submitted the bug what are the chances Apple would have responded in a timely manner if at all?
If you read the source article, the guy reported the bug to Apple a month ago.
----------
He submitted the bug to Apple on Oct 17 according to the source article.
----------
He submitted the bug to Apple on Oct 17 according to the source article.
Are you an Apple developer? Bug reporter is very active and issue like this is treated as DEFCON 1. This is a huge bug when exploited is an unbelievably huge security leak. Apple cannot tolerate to have left this for more than a week as well.
Plus the guy made an app. Submitted it. Got it accepted and placed in the app store. Probably spent a month just to prove his concept.
Great. That's how you get revoked.
On another note, I'd be surprised if Apple doesn't take a stance against this developer as instead of giving this info to Apple, he decided he would make a video out of it and bring some free media hype and undeniable fame. Cool.