Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Researcher Reveals iOS Security Flaw, Gets Developer License Revoked
- Thread starter wrldwzrd89
- Start date
- Sort by reaction score
Oh, really?
He submitted the app long before he told Apple about the vulnerability.
The first time I ever heard of this guy was 2 (or 3?) years ago when he went public about a hole in OX, 9 months after he had informed Apple.
Apple patched the fix in a week later.....
Maybe he's just learned that to actually get them to do something about it, you need to call attention to it.
Because it was brought up does not mean you need to feed the people bringing it up. Just ignore posters who want to drag these threads off-topic, don't participate.
Yeah, why go after 200 million devices ? And what about going after iOS means you don't also get to go after Windows XP or Windows 7 or Android ?
That's the thing, more vectors you can go after with your infrastructure for collecting the data, why wouldn't you use them ?
he did tell Apple. Apple did nothing.
Apple telling the world here they do not want researchers finding and reporting bugs.
Difference is instead you will get someone who will do it for truly malicious intent and they will not report it to Apple or do anything force a fix. If he wanted true malicious app it would of check for a payload every time it ran not just on the first time and then he would of never went public or reported it to apple.
This guy reported a bug in OSX and after 9 months of Apple doing nothing he goes public. Patched 1 week later.
The source may not yet be released or it was a pre-release version of 4.0 that was affected and disclosed by google prior to a revision in the version number for the release.
No matter, at least some of the released versions of Android are affected given the lack of a CVE and the security focus disclosure still stating that there is no solution.
It may be possible that this won't get a CVE and security focus hasn't been updated but that seems unlikely given the severity of the bug.
Google is not very forthcoming with providing details about what is patched in each update.
Apple's not obligation to give him a response. Not a 'we'll check', not a 'yeah we fixed that in 4.3.2 you idiot" or whatever.
----------
Based on what, his say so.
For all we know, they did do something. they just aren't going to advertise that the flaw existed because they don't want anyone getting sneaky and thinking there might be a few folks that won't bother to update their software and will be perfect victims.
Federal charges? What laws were actually broken? Please site the laws F. Lee Bailey.
Apple had to revoke his license as he knowingly submitted an App that allowed this potentially malicious access. I daresay there are people coding like mad somewhere in California plugging this gap, or at least revising their App review process to stop any more potential exploitations.
As many have already said: pointing out a flaw is a good thing, breaking your developer agreement to prove it is crossing a line that would only end one way. Unfortunately Apple can afford to sever links with individual developers in order to prove a (valid, in this case) point.
As many have already said: pointing out a flaw is a good thing, breaking your developer agreement to prove it is crossing a line that would only end one way. Unfortunately Apple can afford to sever links with individual developers in order to prove a (valid, in this case) point.
He told Apple only after the app was approved. http://twitter.com/#!/0xcharlie/status/133901782169550848
And how do you know Apple did nothing? What is Apple supposed to do? Send him a cookie? Do they have to tell him that they are working on the fix? If Miller wants to be kept in the loop, then maybe he should apply for a job.
He says he told Apple. But they never have proof they said anything or that they said more than "hey you've got a security bug in X" and left it up to the company to find it for themselves for months and then when they couldn't, rather than tell them exactly what and where it is, they say it publicly and claim the company had 'weeks to fix this and haven't bothered' (cause they were trying to find it)
it's a fame game with these folks. so they play it to make sure they can get the fame. Making the original company look like idiots just ensures they will get lots of hits from all the articles that are posted about it and thus the blogs etc will post it.
Of course after it was approved. When the app gets sorted out by the app-review, there would be no problem. Geez...
Given that they kicked out someone that used a similar trick just to make the volume buttons work as a camera shutter switch, you can imagine the stink if they didn't kick him out, regards of his intent.
So then he doesn't have an obligation to report it either? He could just keep quite about it and wait until some criminal discovers it and exploits it. Why not avoid that instead?
It seems most likely that Apple didn't prioritize this issue because they thought any such app wouldn't make it through review, so he had to show them.
Rodimus, I don't know where you're getting your info, but you're wrong. According to the guy himself, the app had been in the app store since September. He notified Apple on October 14th. If the guy valued his developer license (and clearly he does) then he made a pretty bad decision to knowingly violate the terms with the app.
You're missing the point.
He knew about the vulnerability since March ... he developed an exploit, wrote an app, put it in the app store, and then told Apple that a vulnerability existed. He had 8 months. Apple has had 3 weeks. Do you really believe he told them exactly where to look?
So now they have to find and patch the vulnerability without breaking other things, and he wants them to do it on his timeline - when he took months to develop the exploit.
The fact that the app got through the approval process is a different issue.
Hey, the guy wanted to be famous, now he's famous.
Publishing the inherent flaw in Nitro wasn't the issue, putting an exploit app on the App Store was. Apple has to revoke his developer license for that. No tears necessary, he had to know this was going to be the result. Even the timing seems like this was all designed to get publicity for his talk in Taiwan next week.
I wouldn't be surprised if all apps from guys who report security vulnerabilities will now get the fine toothed comb treatment.
Publishing the inherent flaw in Nitro wasn't the issue, putting an exploit app on the App Store was. Apple has to revoke his developer license for that. No tears necessary, he had to know this was going to be the result. Even the timing seems like this was all designed to get publicity for his talk in Taiwan next week.
I wouldn't be surprised if all apps from guys who report security vulnerabilities will now get the fine toothed comb treatment.
Boy lots of people are missing the point. Charlie Miller doesnt care about the developers account. It's just needed to prove his concept and show a compromised app could be uploaded via regular channels. He disclosed it to apple long before he made it public to give them time to fix it. He wasn't planning on making money off this. It's a throwaway account. he makes his money from private consulting and talks.
He was before this.
Why do so many people who don't know about this guy, his work and what he's done insist on bashing him ? At least take the time to research the guy before you make assumptions about him.
I get that the threat of exposure and the associated cost of bad PR are an effective motivator security dev's like to use to see their discoveries addressed.
However, actually doing it crosses a line and hits the users. Once a hotshot goes and makes his exploit public, invariably some kid decides to make a name for themselves or worse, releases malware to users, costing not Microsoft or Adobe, but every business owner with an office & shop full of infected computers thousands of dollars in productivity and worse (seen it) when it hits, or the rushed fix drops, requiring even more IT expenditure.
The defense of "they wrote the bug, I just pointed it out", is BS, because until you pointed it out, it didn't blow our project submittal deadline, or cost my 30 employees 3 hours productivity each, (x how many companies?). Ultimately, this cowboy BS only benefits is the reputation of the security dev, and comes at great expense to users.
Like, writing it into an app, actually uploading it to the AppStore, and not telling anyone there's a live exploit being downloaded by users?
Disclaimer: I read only the first page
As many people already said (and I agree with that):
Yes, Apple is getting free security check from Miller.
I tend to agree that he should not have submit app taking advantage of the exploit ... or should he? I've been reading about Apple rejecting apps since iOS app store started. They would reject apps for the pettiest of things; mostly from competing companies/developers providing services/functionality Apple did not (for whatever reason).
And here, I have a "malware" happily being approved.
I wonder, did Miller intend not only point out security flaw in iOS, but also obvious flaw in app approving process by Apple?
Cheers, R>
As many people already said (and I agree with that):
Yes, Apple is getting free security check from Miller.
I tend to agree that he should not have submit app taking advantage of the exploit ... or should he? I've been reading about Apple rejecting apps since iOS app store started. They would reject apps for the pettiest of things; mostly from competing companies/developers providing services/functionality Apple did not (for whatever reason).
And here, I have a "malware" happily being approved.
I wonder, did Miller intend not only point out security flaw in iOS, but also obvious flaw in app approving process by Apple?
Cheers, R>
Knowing about a bug and finding a way to exploit it are two different pair of shoes.
Also, fixing a bug when you know where the problem is is infinitely faster than finding and fixing a bug without knowing how to exploit or where the bug is to begin with.
If he doesn't care about his developer account then surely he's not mad about this. Oh wait, he is:
Im mad, he says. I report bugs to them all the time. Being part of the developer program helps me do that. "
http://www.forbes.com/sites/andygre...per-program-for-proof-of-concept-exploit-app/
Has anybody other than researchers looking for headlines successfully submitted a trojan into the iOS App Store?
No, because the requirements for acceptable apps via Apple's vetting process virtually eliminates the likelihood of getting profitable enough malware in the app store to warrant making the effort to do so.
Google allows anonymous signup and self signed certificates with much less vetting. Coincidentally, the Android market has much more incidences of malware.
If the costs to exploit a new vector exceeds the costs to further exploit an old vector given the same amount of profit returns, the new vector will be largely ignored.
This has always been the case in relation to malware in regards to any platform.
This is why malware, in the form of trojans, targeting OS X has only recently started to accelerate in growth. This is due to the increases in security of other platforms, such as Windows.
This is why malware is not yet a significant issue for iOS. Other much easier platforms are available to target.
Yes, but short term, only. Like, a couple days. Long term, more recognition for him, and we'll just have to see what happens. Becomes win/win.
Problem with the internet is people come out and discuss and judge events before they are even finished. This is not over.