After Charlie Miller, a well known Apple security researcher, created a demo app to exploit a serious iOS bug in the iPhone and iPad, Apple suspended his developer account.
Miller uncovered a bug in iOS and demonstrated how it works on the iTunes App Store. Apple has revoked his access to the developer program.
A bug in iOS allows a malicious developer to run unsigned code on the user’s iPhone or iPad, circumventing the restrictions Apple has put in place, Miller, a principal research consultant and a security researcher well-known for hacking Apple products, told Forbes Nov. 7.
Hours later, the Instastock app he created to demonstrate the bug has been yanked from the the iTunes App Store and Apple suspended his access to the iOS Developer Program for one year, Miller said on Twitter.
“OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!” Miller wrote.
Apple designed the iPhone and iPad platform so that only signed apps from the iTunes App Store can be installed and run. The only way to get around this restriction is to exploit certain vulnerabilities to jailbreak the device. Combined with Apple’s supposedly strict app review and approval process, it was supposed to be too difficult to get malicious apps on the official App Store, unlike the Wild West that is the Android Market.
Miller found a bug and created an app that bypassed this protection entirely.
“They don’t like this stuff where they lose control of the platform. It’s serious stuff for them,” Miller told Forbes. He is expected to discuss the vulnerability at the SyScan conference in Taiwan on Nov. 18.
While the flaw Miller discovered can’t be used to jailbreak the devices, it showed that even apps from the official App Store can be malicious. Miller notified Apple about the bug on Oct. 14. He expected the company to fix the issue pretty quickly, considering the seriousness of the vulnerability.
“I thought they’d just remove the app and we’d still be friends,” Miller wrote on Twitter.
The benign app has been in the iTunes App Store since Sept. 14. Instastock claimed to display real-time stock price information, but Miller had added code that allowed the app to secretly communicate with a remote server. The backdoor capability allowed Miller to issue commands remotely to the device and perform actions such as accessing the contact list. The bug could be exploited on any iOS device running version 4.3 or later on both the iPhone and iPad.
When the user installed Instastock, it immediately phoned home to a remote server under Miller’s control for instructions. He did not push out any updates or send any commands, so users who have downloaded the app have not been exploited by the demo.
He did produce a short video to demonstrate the exploit, available on YouTube. In the video clip, he placed a file on the server and when the app on his own iPhone pinged the server, the code exploited the bug to open a remote shell. Miller was able to issue remote commands and perform several tasks on the iPhone.
Miller said he had created the demo app so that people couldn’t claim that Apple wouldn’t approve an app that took advantage of the bug he’d found.
Apple claimed the one year suspension was for violating the terms of service. Miller admitted that readily, but noted on Twitter that the terms don’t let him do any of the things he does as a security researcher in the first place.
“First they give researcher’s access to developer programs, (although I paid for mine) then they kick them out.. for doing research,” wrote an angry Miller. Other companies, notably Google, have adopted a friendlier stance with researchers looking for and reporting bugs.
Ironically, it had taken him three attempts to get the demo app past Apple’s review team onto the App Store. His first demo app, which allowed users to zoom in on pictures of David Hasselhoff, was rejected for not having any real value. The second attempt the review team rejected Instastock for using an API Apple didn’t support. The final version of Instastock was approved, and Apple didn’t notice that the app was doing more than just displaying stock prices.
As for Apple terminating his account, Miller said it felt “heavy-handed,” adding, “I miss Steve.”
