Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked
- Thread starter wrldwzrd89
- Start date
- Sort by reaction score
Another one, who didn't read the linked articles and the comments. Excellent.
http://www.forbes.com/sites/andygre...per-program-for-proof-of-concept-exploit-app/
Actually read the developer agreement, he completely violated Apples terms and should be removed. He could have easily told Apple without putting a malicious app on the app store.
Of course, he's had it for quite sometime now, I don't know if we can qualify it as "15 minutes" at this point. The guy is quite well known in the industry.
He's a security researcher who violated the terms of his agreement in order to make a bunch of money and get his face posted on blogs like this one. He's not trying to "help" anyone.
He got what he wanted and Apple bounced him. That gave him even more publicity. He's a pretty happy guy right now.
I am actually glad he went all public with this.
I would rather have him discover this than some secretive hacker that will actually maliciously exploit the iOS system.
I like Apple products but I won't be on the side of the company, I am on the side of the consumer. From the information I gathered, I think Apple shouldnt have taken away his developer license.
I would rather have him discover this than some secretive hacker that will actually maliciously exploit the iOS system.
I like Apple products but I won't be on the side of the company, I am on the side of the consumer. From the information I gathered, I think Apple shouldnt have taken away his developer license.
For reporting a bug you need a proof. Nobody will listen to you if you claim just on a chance for an issue. And if you are serious into research you work on facts, not hypothesis, because it's simply better for your reputation.
Submitting the app in the way it was done was a requirement for bringing proof.
He could have handled it differently after that, but I guess that's a personal thing.
Apple banned him for rule violation when submitting the app, not for the publicity.
Two weeks notice is a pretty long time. Other companies go publicly busted if not responding within a week or even shorter. This is a very common and accepted pattern.
The ban and what you are asking for is a clear signal for researchers not to investigate into this space. This can't be good.
It is a well known dilemma in the security research space, of course. Bottom line is that violation of terms and conditions has to be accepted when done for research purposes, for reason.
So, Apple should just let people breech contracts?
Miller did it maliciously, and Apple should look the other way.
What he should have done was release it to the app store, wait for it to be approved, then immediately remove it from the app store and notify Apple that they approved this dangerous application.
Or he should have found someone at Apple to send it to outside of the normal submission process, informing them that he thinks their systems would approve the app, but that it exploits a security flaw. (In fact, maybe Apple should setup a security department much like credit card companies have where people can submit security issues.)
Both of those would have been responsible ways of handling the situation.
Previous exploits that have been identified and (only) reported took a very long time to be addressed by Apple.
Actually showing that this exploit urgently needs to be addressed is meant to speed things up.
He didn't "benefit" from the exploit...he showed that he was right and that it needed to be addressed.
His actions should be rewarded. Punishing an individual who had good intentions and didn't hurt anyone will not benefit Apple.
Next time, maybe this guy (or others like him) will just say "screw it...let Apple figure it out"...and by that time, some actual damage might get done.
Poor handling by Apple.
So, Apple should just let people breech contracts?
Miller did it maliciously, and Apple should look the other way.
His action may have been a lot of things, but malicious? Far from it.
Who cares what “people” would say? He’s in this to improve security, not just for attention, right?
He needs to communicate the bug to Apple, not to the public, and putting an malicious test app out to people via the App Store is unnecessary for that—and he most certainly know he was violating the terms when he did so.
He also gave potential malware-writers a big hand by his choices. He should have waited for a fix, and then he could brag all he likes about how he helped make that fix happen. He gave them one month?! At a time when iOS 5, iCloud, and the iPhone 4S are all new? Not all fixes are equally easy. Maybe it takes two months this time. Is he really helping the platform and us users by deciding that one month is the deadline, and giving malware writers a heads-up? (Not as bad as giving them full details, but he’s set them on the track.)
And should Apple let him get away with the submission, when that sends a message to the next person who decides to pull a similar stunt?
It’s good that he caught this. But his actions, timing and choices almost make me think he wants attention first, and security a distant second....
He needs to communicate the bug to Apple, not to the public, and putting an malicious test app out to people via the App Store is unnecessary for that—and he most certainly know he was violating the terms when he did so.
He also gave potential malware-writers a big hand by his choices. He should have waited for a fix, and then he could brag all he likes about how he helped make that fix happen. He gave them one month?! At a time when iOS 5, iCloud, and the iPhone 4S are all new? Not all fixes are equally easy. Maybe it takes two months this time. Is he really helping the platform and us users by deciding that one month is the deadline, and giving malware writers a heads-up? (Not as bad as giving them full details, but he’s set them on the track.)
And should Apple let him get away with the submission, when that sends a message to the next person who decides to pull a similar stunt?
It’s good that he caught this. But his actions, timing and choices almost make me think he wants attention first, and security a distant second....
Last edited:
His action may have been a lot of things, but malicious? Far from it.
Lookup the legal definition of malice ... he submitted the app knowing that later his announcement would cause embarrassment to Apple and (likely) damage to stock.
He was depending on the harm of his action to motivate Apple to action ... that is malice.
They likely have. He was looking at 4.3 and perhaps even on the base version of it. there were like 2 point releases plus iOS 5 since that initial release.
So really the only folks affected by this would be that small group of less aware users that never updated their software. But that's a tiny group that gets smaller all the time cause the moment they have an issue and go to the Apple store the first thing that happens is their software is updated.
So, Apple should just let people breech contracts?
Miller did it maliciously, and Apple should look the other way.
There is no evidence that CM did this out of malice. To state otherwise has no basis in terms of the facts. His job is to find flaws and report them, he's done this and felt that Apple have dragged their heels. Personally, I reckon he had this teed up for the Syscan event and hoped that Apple would sort it first before others used it more widely, and is now trying to pressure Apple to sort it.
As I said before, full disclosure is a very emotive subject; there is no right or wrong, only strong opinions and solid arguments on both sides.
More like, he is a self proclaimed security researcher who abused the terms of being a developer to submit an app he knew was a security risk and would possibly be downloaded and used by people that don't read the blogs and don't know the danger and he could exploit that to harvest their information.
That deserves getting canned from the program.
But at the same time he only did it after Apple refused to address the rather massive bug.
As others already pointed out with out proof of concept this would of been denied as ever being as issue because Apple would never "aprove" such an app, clearly that is not the case.
Really his app does as little as possible to be bad. It only checks when it is opened for the first time. Someone who wanted to do damage would have it check every time it ran not just the first time. This would force apple to use the nuclear options of remote deleting apps.
Typical Apple response in my book. Do not prove we have holes as we are going to ban you.
I brought up Google long after Google was introduced into the discussion with the following post:
There is much more efficient ways to collect email addresses.
Why go after a relatively tiny number of mobile phones, when you can go after a large number of computers running much easier to exploit OSs, such as Windows XP?
It is much easier to turn these easier targets into mass mailers as well. Turning machines into mass mailers is even more important to profitability because the lower rate of spam from each machine reduces the likelihood of the activity being detected. It is also easier to collect protected data and storage from PC hosts as well.
It doesn't make sense to go after iOS devices unless the monetary gain is more direct, such as with the inclusion of privilege escalation.
You seem to be showing reactivity toward my posts when the discussion involves mobile OS security.
https://forums.macrumors.com/threads/1236870/
I think that a guy that focuses on finding Apple vulnerabilities would find this long before anybody else.
Cybercriminals employ a measure of cost benefit analysis on there activities because their revenue comes from not attracting attention to themselves.
Remember, Charlie Miller wasn't able to submit an app to the App Store anonymously.
It takes much less effort to anonymously distribute malware for other platforms than iOS.
But, I agree this is always good advice.
Will glasses magically make Android 3.5 exist?
The latest version of Honeycomb is 3.2. I was questioning their findings on a non-existant version of Android.
http://developer.android.com/resources/dashboard/platform-versions.html
http://en.m.wikipedia.org/wiki/Android_version_history
You're only self-proclaimed if no-one else believes that you are. He submitted an app that he controlled and quite simply he wouldn't work in the industry again if he were to be found to using the weakness to harvest any information. Let's stop the hyperbole and stick to the facts?
Reading a lot of posts here virusses and malware shouldn't be any problem any more....we just have to tell the producers of this stuff they are violating a TOS..that must be enough to stop them
That this guy wanted his piece of attention is absolutely irrelevant. Relevant is that the App Store has some flaws that need to be fixed.
That this guy wanted his piece of attention is absolutely irrelevant. Relevant is that the App Store has some flaws that need to be fixed.
Did.
The payload, which he has to enable to be downloaded by the app, is, not the app itself.
Didn't.
One month without any reaction from Apple. No "yup, will check", nada. The kicking was quick though. At least that works.
Again, didn't.
Every security-related bug is embarrassment. So people should stop checking for security-bugs now? That's rich. And what's with that obsession with stocks?
Report them to the software company not to the world. For all we know he skipped over telling Apple about this until he had submitted the app (which isn't part of his job), allowed it to be downloaded who knows how many times, possibly used the exploit for his own gain ("I had to prove it would work") and then announced it to the public. That's when Apple found out that he had found this flaw. The whole big announcement game is class fame whore tricks.
But in the end, Apple likely has their own 'security researchers' and may have already found this and the guy could be using an outdated version of 4.3. Just like the kids at the various conferences with old version so Safari etc that find bugs that are already patched.