Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked
- Thread starter wrldwzrd89
- Start date
- Sort by reaction score
Yes, yes, I know ... and users will always be a major risk, but the comment was more to lighten the mood.
Good will like making sure vendors actually fix flaws before they get exploited for malicious intent ?
So he puts an application in the app store that allow other people to exploit their devices with, seems very ironic to me.
Cult comes to mind some times. I like Apple products but it feels like a cult sometimes and not a grown up company.
The odd thing is Microsoft isn't much different in some ways. If there was a similar issue with Windows Whatever, if Steve Ballmer were to respond, I'd almost guarantee that he'd downplay it as well and because he's Steve Ballmer, whatever he says is going to sound utterly ridiculous. However if you communicate with their engineers, you'd get a more realistic and humble response usually acknowledging any issue you present to them as long as you provide enough details.
Personally I believe that it serves better if Apple made the decision to take Charlie's efforts more proactively and perhaps give him credit for his discovery and make a small announcement that "thanks to him, a fix is on its way very soon". In my eyes that would appear to fit the scheme of being in the Apple family/cult showing how users and professionals are working together to maintain a great system with their products.
Apple, while not wrong for terminating Miller's account now looks like a scenario involving a student who said the Principal's wife is ugly, was confirmed as fact and got expelled from school because of it.
Last edited:
He did it for the notoriety and exposure. Perhaps he felt it could help get a software security gig.
None of this is surprising to anyone that has a modest amount of understanding in this subject.
1) The javascript exploit has been known as a potential issue since Apple switched the privileges up to allow for JIT.
2) Many many things have passed through the App Store approval process, the more famous ones being the apps that had "easter eggs" to allow you to enable Emoji. The approval process can catch a lot of things but it also misses a lot of other things. That is why there are revokable certificates.
3) While unfortunate that he submitted the app and then was removed from the developer program, he did violate his terms. I'm not going to go in which move was right and/or wrong. There is precedent for this so it isn't surprising.
4) Most customers are extremely uninformed on these issues. Using the logic of trying to show Apple with their pants down (implying the customer thinks "App Store perfect, no viruses, viruses bad!") they'll now think "App Store broken, developer write virus, viruses bad!" How did this help anyone? Yes, it isn't really worse than before but they didn't learn anything. You're just shifting them from one polar extreme to another. Eventually you'll get the boy who cried wolf syndrome (you switch between extremes so frequently and eventually they won't listen to you).
My point: how is this benefitting anyone? Surely there must be a better way to teach people about security. (Apple will be Apple, they're stubborn and I doubt anything short of something catastrophic will change their slow and steady method for security...which does have some positives but also some negatives.)
1) The javascript exploit has been known as a potential issue since Apple switched the privileges up to allow for JIT.
2) Many many things have passed through the App Store approval process, the more famous ones being the apps that had "easter eggs" to allow you to enable Emoji. The approval process can catch a lot of things but it also misses a lot of other things. That is why there are revokable certificates.
3) While unfortunate that he submitted the app and then was removed from the developer program, he did violate his terms. I'm not going to go in which move was right and/or wrong. There is precedent for this so it isn't surprising.
4) Most customers are extremely uninformed on these issues. Using the logic of trying to show Apple with their pants down (implying the customer thinks "App Store perfect, no viruses, viruses bad!") they'll now think "App Store broken, developer write virus, viruses bad!" How did this help anyone? Yes, it isn't really worse than before but they didn't learn anything. You're just shifting them from one polar extreme to another. Eventually you'll get the boy who cried wolf syndrome (you switch between extremes so frequently and eventually they won't listen to you).
My point: how is this benefitting anyone? Surely there must be a better way to teach people about security. (Apple will be Apple, they're stubborn and I doubt anything short of something catastrophic will change their slow and steady method for security...which does have some positives but also some negatives.)
From the article:
Miller wont say just what that bug is until his talk next week in order to give Apple more time to fix the flaw.
Sorta sounds like he felt like he was forced to go this route. It is all in the spin control right? Need the Spin Doctors to get us some Kryptonite!
Which he did, read the links in the very MR-article. Yeah, a lot to ask.
----------
Of course he had to submit it before reporting it to Apple, to see if the (automatic?) app-review detects the exploit. Because then the bug would just be of academic nature.
Which he did, read the links in the very MR-article. Yeah, a lot to ask.
----------
Of course he had to submit it before reporting it to Apple, to see if the (automatic?) app-review detects the exploit. Because then the bug would just be of academic nature.
He still pushed an app out there that had the ability to download unsigned code which gives an attacker control over the remote device. As his YouTube video shows he had the ability (if he chose to) to run commands on an affected device and download data from the device.
He also created this app as "InstaTicker" or something similar (cant remember the exact name), so this is something that quite possibly could have appealed to someone browsing the app store at that time.
Yes, I want to be protected from a poor process but there are ways to go about it which don't have the potential impact that this did.
Security researchers also gave us the now disproven random 8 character password with upper and lower case, number and symbol, change it every few months and don't write it down on a sticky note security method.
They understand security, they don't understand people. There is a reason most security exploits "break" the people running the computer.
interesting
Well, the guy did violate the developer agreement. What he could have done instead would be to inform Apple of the bug he discovered so that it could be patched. Bug would get squashed, and he'd still have his developer agreement intact.
Well, the guy did violate the developer agreement. What he could have done instead would be to inform Apple of the bug he discovered so that it could be patched. Bug would get squashed, and he'd still have his developer agreement intact.
And just to finalize these thoughts. I'd much rather have a spotlight-seeking analyst find these holes then a Russian (no offense to Russians
T.
None taken. .... er....Anna I think I blew my cover.
They also gave us 2 factor authentication, they gave us biometric based authentication, facial recognition, certificate based authentication and plenty of other methods besides the traditional username/password combination (which dates back quite far...).
They also understand people. Security researchers often use what is called social engineering, which is basically the science of exploiting the human flaw, to obtain information in breaking security.
I think you grossly misunderstand the field if you really think security researchers don't know the people running the computer.
----------
He did. It hasn't been patched yet.
Android phone ? Look at my sig. I never owned an Android phone.
Sorry if my post hurt your feelings.
I'm not downplaying the issue; I'm being objective.
This isn't the type of threat that manifests as anything significant in the wild.
for the last decade the way to do these things has been to quietly contact the company who then promises to fix the bug within a few months and only go public if the said company ignores the warning
What does Android have to do with any of this? "We've got bugs? Well the other guys have WORSE bugs" isn't exactly an argument that makes anyone look good.
So am I. This is the type of threat that can be used in the wild to mostly collect data in order to then proceed to annoying people.
I think your accusation of "being an Android owner" was quite ludicrous and doesn't help your credibility in this case. You're usually much more level headed.
Your pointing out Android was also not objective, "being not as worse as the other guys" is not a good method of securing your stuff.
----------
Exactly what was done here.
It's my understanding that an automated "screener" app is run to parse through the code looking for questionable signatures (I'd assume methods that read/write the FS and/or invoke network service or properties about the owner/location/etc.), then those are manually reviewed or at least spot checked, probably based on the vendors history.
The thing he managed to do is find some normally benign code section (that's overlooked by any pre-scanning process), and implement his "hack".
For he record, I'd imagine Apple might re-review his developer status, but in the near term, I don't see them as having any other option.
And this is the point, harvesting information from mobile phones is currently big business in the Android app cybercrime industry. Full disclosure is something that's been discussed many times before, and certainly won't be resolved here.
I'd also say that anyone who thinks that this vulnerablity isn't being exploited at the moment is dellusional. This isn't scaremongering, simply reality (albeit that the likelihood of being impacted is very slight) as cybercriminals are actively targetting the mobile device ecosystem.
The key here is to ensure that you're using apps from established companies within the app store.
Last edited by a moderator: