Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked

[BC2009]

Sure *that* web page was clear. What about other web pages that used this bug for more malicious intents ? That's the point, the PDF bug was not a jailbreakme.com exclusive that could only be triggered by their site.

And frankly, why boo Apple for fixing such a nasty bug for all of us who are not interested in jailbreaking our devices ? Apple did the right thing in fixing it, breaking jailbreaking was a side effect of having a secure device, and I'm all for it. People who boo Apple for fixing this stuff have no grasp on the issues.

Booing Apple for fixing the PDF was stupid -- I totally agree. But folks probably felt pretty safe in their ability to avoid the PDF exploit by simply surfing on more trusted Internet sites and did not mind waiting the period for Apple to fix the bug. Or perhaps they felt the odds of stumbling on a malicious PDF were low. Its a different mind set than having downloaded an app and later discovering it could have been snooping through all of your stuff. Those who were really concerned by the PDF bug could have jail broken their phone that day and download the fix because it was being provided on Cydia -- however, this is clearly not a great option for most folks.

Why would they hire him now ? It's not the first time he's found exploits for OS X or iOS.

That's true, but I think if he had contacted Eddy Cue about the approval process and demonstrated that he could get an "Easter Egg" app through he could have made a case for such a thing if he desired it. Certainly Apple should be planting "bad apps" in the process (perhaps they do), but the hacker community is certainly more sophisticated in hiding their easter eggs. Apple should open up channels to the white-hat community to submit booby-trapped apps that will never see the light of day but will help Apple train its approvers in spotting "bad apps". Apple should even pay the white hat guys who submit these "bad apps" to give quarterly training on how to spot malicious attempts from their apps.

 

[stationstops]

He likely doesnt care

He obviously knew what he was doing - if hes in security this pull is cred for him. im sure if he can do this he can easily work around not having a dev account.

 

[Stella]

Not crying foul ... Miller is whining about being kicked on twitter, but what did he really expect would happen, given his personality.

Alternatively, could we say that Apple is now throwing a hissy fit and now revoking Millers developer license.

This kind of thing occurs all the time, in other areas too. For example, airport security - a group / individual finds weaknesses, exploits it to make a point, then the "Whistle Blower" ends up getting arrested.

 

[munkery]

The link references Android 2.3.5 as the llatest version vulnerable.

Are Android 2.3.7, 3.2 and 4.0 still affected at all?

Whilst the issues Google have with Android are potentially bad, I'm unsure what it has to do with the discovery, submission and approval of a potentially malicious app on a vetted application store such as Apple's.

A lot of people tout the approval process as the best safety net over rival platforms application distribution but this just emphasizes how much of a fallacy that is.

CVE doesn't yet have an entry for these vulnerabilities which most likely means that the one issue is not yet patched given that CVE typically doesn't list unpatched vulnerabilities.

The security focus disclosure shows that up to Android 3.5 is vulnerable.





So, Android 3.2 is for sure vulnerable but I don't know about 2.3.7 or 4.0.

I brought up Google because others prior to my post brought up Google in comparison.

BTW, Apple's vetting process is still much better than Google. Google allows anonymous signup and self signed certificates which allows an attacker to submit multiple malicious apps despite having apps revoked in the past.

 

[The Phazer]

Then that is the end of it. He informed Apple. They were made aware. There is nothing more that needs to be done. A concerned citizen, etc. They need not respond. Unless he has some ulterior motive. Which he does, because he likes his name in the tech headlines.

This is nonsense. If he found it, someone who wants to use it for criminal purposes will also find it.

It is irresponsible to not inform the public if Apple sit on it, as they have an established track record of doing.

Phazer

 

[r.j.s]

Alternatively, could we say that Apple is now throwing a hissy fit and now revoking Millers developer license.

So, terminating his license in accordance with the TOS he agreed to, then violated (knowingly, intentionally, and arguably with malice), is throwing a hissy fit?

Really?

 

[munkery]

Nor did I say it was...

Your up selling of this issue in iOS and reactivity to my post suggests that you may have a Android phone.

Sorry if my post hurt your feelings.

 

[Hurda]

Not crying foul ... Miller is whining about being kicked on twitter, but what did he really expect would happen, given his personality.

That's childish of him, of course. I wouldn't exactly send him a gift package, either.

But folks probably felt pretty safe in their ability to avoid the PDF exploit by simply surfing on more trusted Internet sites and

Please show the me these "more trusted Internet sites". I'm rather convinced no internet site should be trusted at all. Cause you can't ever know what's out there. *cue x-files theme*

Those who were really concerned by the PDF bug could have jail broken their phone that day and download the fix because it was being provided on Cydia -- however, this is clearly not a great option for most folks.

To be precise, this is NO option. NONE. EVER.

 

[ChazUK]

CVE doesn't yet have an entry for these vulnerabilities which most likely means that the one issue is not yet patched given that CVE typically doesn't list unpatched vulnerabilities.

The security focus disclosure shows that up to Android 3.5 is vulnerable.

View attachment 311227

View attachment 311228

So, Android 3.2 is for sure vulnerable but I don't know about 2.3.7 or 4.0.

I brought up Google because others prior to my post brought up Google in comparison.

BTW, Apple's vetting process is still much better than Google. Google allows anonymous signup and self signed certificated which allows an attacker to submit multiple malicious apps despite having apps revoked in the past.

The latest publicly released version of Honeycomb is 3.2 so I'm unsure where their claims that 3.5 is affected has come from.Could that simply be a typo?

 

[r.j.s]

Please show the me these "more trusted Internet sites". I'm rather convinced no internet site should be trusted at all. Cause you can't ever know what's out there. *cue x-files theme*

I trust the ones that end with .smil.mil, i.e. http://en.wikipedia.org/wiki/SIPRNet

 

[Hyper-X]

I think the hardest thing for Apple here is the fact that he demonstrated the exploit along with the imperfect approval process in a single blow and now customers are worried about the potential of having been compromised.

Bingo, the best quote of the entire thread stated right there.

Miller not only discovered an exploit within iOS but he also proved that it can be used to circumvent the app approval process by allowing a compromised app to go through.

Apple will never willingly admit that their products are just as vulnerable and not fool proof against exploitation. With OS X they silently implemented Xprotect but don't advertise that it comes with free anti-malware for the reason that they don't want to openly admit that OS X is not malware-proof.

The same has now been confirmed with the App Store approval process, they want you to believe that it's a unexploitable system and now the jig is up.

Not sure why people flip out over stuff like this, as if their pride is hurt or something. Munkery stated only one thing I can't debate and that's about how important it is to respond and continue working to improve upon security. Security Pro's know that product security is not a one-time, one-shot deal, it's an ongoing and continuous process.

 

[kiljoy616]

I imagine they are already working on it seen as though they have seen the video, Removed the app and remove him as a developer.

Removed him as a developer was the dumbest thing to do. But considering the size of Apple now a days it makes sense they would make a mess of this.

----------

Not sure why people flip out over stuff like this, as if their pride is hurt or something.

Cult comes to mind some times. I like Apple products but it feels like a cult sometimes and not a grown up company.

 

[munkery]

The latest publicly released version of Honeycomb is 3.2 so I'm unsure where their claims that 3.5 is affected has come from.Could that simply be a typo?

I think you need to get glasses.

 

[duffman9000]

And to the people crying foul over C.M. seeking attention: WELL DUH! That's the point. He hasn't disclosed the specifics of the exploit, or what the exploiting payload looks like. Just the app in the app-store which could load and execute the payload. Easy, guys.

I saw him at DEFCON last year and I came away feeling that he loves attention.

 

[KnightWRX]

Your up selling of this issue in iOS and reactivity to my post suggests that you may have a Android phone.

Sorry if my post hurt your feelings.

Android phone ? Look at my sig. I never owned an Android phone. I'm not upselling anything, I'm trying to downplay your downplaying. Why do you feel Apple needs you to intervene in their favor ?

Sorry if my post hurt your feelings.

 

[jamesryanbell]

Everybody just needs to find better things to do. No one's impressed with hacker crap. If it's not for a purpose with some sort of good will, don't do it. Get a life.

 

[Hyper-X]

Removed him as a developer was the dumbest thing to do. But considering the size of Apple now a days it makes sense they would make a mess of this.

If severing his dev account hampers Charlie's ability to communicate directly with Apple iOS engineers to work things out, then you'd be absolutely correct.

 

[KnightWRX]

Everybody just needs to find better things to do. No one's impressed with hacker crap. If it's not for a purpose with some sort of good will, don't do it. Get a life.

Good will like making sure vendors actually fix flaws before they get exploited for malicious intent ?

 

[dethmaShine]

Source is the news you are commenting to, the Forbes article is linked in the MacRumors article.

I must correct myself, though, he reported it to Apple on Oct 14. Not Oct 17 as I mistakenly said above.



Illegal? Hardly. Publicity is often considered the greatest tool in security and secrecy is just security by obscurity. When the holes are in the open, people know how and have the motivation to fix them. Now it would be completely another thing if he would exploit the bug in practice to reach other people's data - that certainly could and would be illegal.

I know some disagree with the open philosophy (and certainly there are merits for a debate), but this is really a very common point of view in the information security world and e.g. a reason why many consider open-source the securest form of software because it is out in the open for all to see (and thus learn/analyze/fix).

I am sorry but I'm not able to find where he reported the bug to Apple.

Please can you guide me?

Thank you

 

[jonnysods]

Wow, I'm glad it was him and not someone else who could have executed some scripts on peoples phones.

 

[tienathlon]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

He deserved that. If he found a bug or hole, why didn't he report that to Apple? Instead of that, he created a app that could harm customer and demonstrated it on youtube. What's the point of doing that? Sorry but your 15 minutes fame was end.

And John Gruber had talked about the security weakness in March http://daringfireball.net/2011/03/nitro_ios_43

 

[Hyper-X]

I trust the ones that end with .smil.mil, i.e. http://en.wikipedia.org/wiki/SIPRNet

SIPRNet has been compromised many times in the past and still has issues with OPSEC regarding its users. If you're an AKO-S/DKO-S user, that system has been rated piss poor by NSA, who's the Tier 1 entity for COMSEC.

 

[dBeats]

Finding a security flaw in iOS: Professional
Reporting it to Apple promptly: Professional
Submitting a virus to the app store that steals people's info: Insanely Infantile

How could you NOT revoke his developer account. He submitted a virus to the app store!

Imagine this scenario:

Security consultant finds a flaw in your home security system and safe.
He reports it to you. A few days later you realize your safe has 1/2 the money in it. Two hours later, a guy holds a press conference admitting he stole your money, and "it's your fault for not taking me seriously." Is he guilty of larceny? Does he go to jail? Absolutely!

 

[Jerome Morrow]

He's self-loving prick.

Idiot, normal person doesn't work this way.

 

[BC2009]

Please show the me these "more trusted Internet sites". I'm rather convinced no internet site should be trusted at all. Cause you can't ever know what's out there. *cue x-files theme*

I'm just saying that people have a certain "trust level" when they surf the web. They feel that certain sites that they have always frequented are safe. Whey they start doing internet searches for random things and clicking on random sites they are not as sure. They still have a sense of "it won't happen to me".

However, if you reverse that on them and they actually download an app to their device and after having installed it they learn that somebody could have remotely been ferreting through their personal information then the immediate reaction is to believe that somebody has. It is no different than discovering you have previously installed malware. You frantically try to remove it from the machine, but you always wonder of what the malware might have done while it was installed and what some remote hacker lifted from your hard drive.

With Charlie Miller's app, those who downloaded it are frustrated. The truth be told, Charlie is probably too aware of the legal implications of doing anything with his rogue app except to his own devices. One way that Charlie could have coded the app was to make sure the app did not do anything unless it was connected to his subnet -- i.e.: have it behave like a stock ticker app unless he recognized the MAC address of the DHCP server or if the GPS location of the device was his home.

Anyway, this was a great find, but Apple had to take the action they did because Charlie exposed their customers to malware. Apple needs to follow-up with a "white-hat developer program" to allow white-hat folks to submit apps under assumed identities to the app store, then send those apps to their approvers, and for every approval of their malicious apps, pay a bounty after the white-hat developer provides information to Apple on how to better identify the malicious code in their app. They could even pay these guys to come out quarterly and talk to the approvers.

In the scenario I describe, those malicious apps would never see the light of day and the white hat community would have a great route to try to dupe the app store reviewers and make some money in the process.