Security researcher booted from Apple developer program. Microsoft picks up the pieces
This isn't the first glaring hole in security that has been identified by the community; but it's most certainly the first to get renowned Mac hacker, Charlie Miller, kicked out of the iOS developer program.
The security flaw surrounds the opportunity to run unsigned code in the memory of the browser, which he then expanded to include apps. This means that the hidden code doesn't get screened in the all important code-signing check, a fundamental to iOS security. What results is the opportunity to program seemingly complaisant apps that download and run unauthorized code in the background throughout the entire system.
This is demonstrated by Charlie's app titled "instastock," which was fully approved into the app store, as it 'seems' to contain no code that breach the Apple's terms. He then managed to remotely activate Youtube video playback, the vibrate function on the phone and (more intrusively scary) download the entire list of contacts off the phone. See a video of this below.
So he's made us aware of a pretty significant security flaw. Apple's response to this? They removed the app, which is fair enough since the app actually is a form of malware, and remove his account from the iOS developer program. Cupertino are very much within their own rights to do this (it's all in that big list of terms and conditions that nobody ever reads before clicking accept); but it all seems a bit harsh for someone who was merely identifying a security issue, and not using it for personal malicious gain. See the letter that Apple sent to Charlie Miller below.
In a rather funny turn of events, Microsoft were then quick to offer the booted researcher a free Windows Phone account. We know this is probably just generosity for the publicity of it; but it shows their greater enthusiasm for interaction with developers.
Letter to Charlie Miller
From: appledevnotice@apple.com
Subject: Notice of Termination
Date: November 7, 2011 4:49:34 PM CST
To: [redacted]
Dear Charles Miller:
This letter serves as notice of termination of the iOS Developer Program License Agreement (the "iDP Agreement") and the Registered Apple Developer Agreement (the "Registered Developer Agreement") between you and Apple, effective immediately.
Pursuant to Section 3.2(f) of the iDP Agreement, you agreed that you would not "commit any act intended to interfere with the Apple Software or related services, the intent of this Agreement, or Apple's business practices including, but not limited to, taking actions that may hinder the performance or intended use of the App Store or the Program". Further, pursuant to Section 6.1 of the iDP Agreement, you further agree that "you will not attempt to hide, misrepresent or obscure any features, content, services or functionality in Your submitted Applications from Apple's review or otherwise hinder Apple from being able to fully review such Applications." Apple has good reason to believe that you violated this Section by intentionally submitting an App that behaves in a manner different from its intended use.
Apple may terminate your status as a Registered Apple Developer at any time in its sole discretion and may terminate you upon notice under the iDP Agreement for dishonest and misleading acts relating to that agreement. We would like to remind you of your obligations with regard to all software and other confidential information that you obtained from Apple as a Registered Apple Developer and under the iDP Agreement. You must promptly cease all use of and destroy such materials and comply with all the other termination obligations set forth in Section 12.3 of the iDP Agreement and Section 8 of the Registered Developer Agreement.
This letter is not intended to be a complete statement of the facts regarding this matter, and nothing in this letter should be construed as a waiver of any rights or remedies Apple may have, all of which are hereby reserved. Finally, please note that we will deny your reapplication to the iOS Developer Program for at least a year considering the nature of your acts.
Sincerely, Apple Inc.
