“Charlie Miller, the serial hacker who has exposed more than a dozen critical vulnerabilities in Apple’s Mac and mobile platforms, was kicked out of the company’s iOS developer program after publishing an application that demonstrated a serious new bug in iPhones and iPads,” Dan Goodin reports for The Register.
“Miller’s InstaStock app, which was accepted into the iTunes App Store in September, bills itself as a program that tracks stock prices in real time,” Goodin reports. “On Monday, Miller announced that the app contained a secret hack that bypassed protections built into iOS devices that prevent code from running on them unless it has been signed by Apple’s official cryptographic seal.”
Goodin reports, “A few hours after Miller disclosed the hidden payload, he received an email informing him that Apple was terminating him from the iOS Developer Program for violation of a clause in the program’s license in which he agreed he wouldn’t ‘hide, misrepresent or obscure any features, content, services or functionality’ of applications he submitted. ‘They had every legal reason to do it, but i still think it’s rude,’ Miller told The Reg. ‘It’s going to hinder my ability to help them secure their products.'”
Read more in the full article here.
Related article:
Apple working to correct iOS proof-of-concept malware – November 8, 2011
Got to agree with Charlie on this one.
Security researchers often “think different” and Apple should consider this guy as an asset. He is not the enemy here.
@ dude: so why can’t Charlie work with Apple instead of violating the developer rules? if he’s an asset to Apple, he’d sell Apple his technological talents rather than attempting to be devious and deceitful.
the hacker culture over-glorifies rulebreaking and under-glorifies solution-creating. I have no sympathy for Charlie on this one. If he was that good, he’d already have a corner office at Apple.
He deliberately released an app which permitted people to get around iOS security features, then announced it to the world, and is surprised when Apple terminates him?
All he had to do was take the app to Apple and show them what could be done, in private, and offer to help secure iOS (if that’s his real motive) or at least point it out to them and give Apple an opportunity to address it.
Agreed!! He was being deceitful and got snapped… Backpedalled and said it was for the ‘greater good’
For such a smart dude u a dumbass. If you wanted to ‘help’ you could of email them your concerns
But still, It may be better to have him inside the tent pissing out than outside the tent pissing in, no?
He was inside and pissing in the tent.
Agree; Miller voluntary signed to developer agreement, and then broke his own promise, thus committing a dishonest act.
Apple had no choice but to make an example of the guy. Charlie could have quietly shared his discovery with the folks at Apple, but instead he decided to sneak an app through so he’d a big feather in his cap when he speaks at some some hacker convention in Taiwan next week.
Apple is totally correct in adopting a zero-tolerance policy toward developers who break the rules for their own benefit, irrespective of whether it’s for money or for fame.
There are proper channels for disclosing bugs. Being a “professional”, he knows this. He made a bad decision. He violated TOS. Glad they gave him the boot.
100% with the 3 responses above.
There is a smart way, and a really stupid way to go about what he did. He chose the stupid way, and he even said he didn’t blame apple for what they did, apple had every right to do so.
Other stories say that he DID inform Apple, several weeks ago. Doesn’t make what he did right, but it does add a little more context to the story.
Doesn’t matter.
Even if true, apple doesn’t do anything.
Contact quickpwn, redmondpie, gawker… Explain that apple will not listen. Tell them only a few details, show them only as much as is needed.
Apple WILL listen.
Tell the cops you just committed a crime and got away with it to “prove a point”
Then whine when they arrest you?
People should read the full article before making a fool of themselves.
He DID inform Apple in advance of the security hole.
He DID put the app in the app store to conclusively show that even the latest Apple tests do not stop this exploit (otherwise people could have said “yeah, nice, but Apple will not allow it in”)
So please stop your knee-jerk reactions and read the full story first (that is also to the ones who agree 100% with the jerks).
I DID read the whole article MDN links to. But nowhere does it say that Miller informed Apple in advance about this particular vulnerability before he put this App out in the store and then bragged about it.
What the article DOES say is that he had informed Apple about vulnerabilities (other than this one, if I read it correctly) before, but never got any compensation for that.
Upon casual reading of second and third-hand reports of this elsewhere, my first inclination was the same as yours.
However, after reading here what he actually had to say about it, my opinion has changed. By his own admission, he intentionally broke the terms of his developer contract with Apple.
The only good thing about this is that it has shown that Apple does not go over every app’s code with a fine tooth comb. He got something past their review process and if he could do it, then someone else could, too. It wasn’t just a flaw in their code he exposed, but also a flaw in Apple’s system for reviewing apps.
That has put a big dent in consumer trust of Apple.
Unfortunately, he went about exposing the code flaw in the wrong way and it cost him.
However, reflecting about it as I’ve been writing, I don’t think this is an incident that back-fired and blew up in his face. I think he knew exactly what he was doing. Clearly, he wanted to do more than just expose a code flaw. He could have contacted Apple directly about that.
He wanted to slip something by Apple.
The word hubris comes to mind.
he agreed he wouldn’t ‘hide, misrepresent or obscure any features, content, services or functionality’ of applications he submitted.
What part of “NO” did he not understand?
It’s like Count Dracula dismissing one of the three ‘Brides of Dracula’ in the Bram Stoker novel for being interested in opening the veins in Jonathan Harker’s neck and sucking his blood. It’s in Apple’s best interest to keep one or two vampiric hackers under its wing so to speak to point out the security flaws in iOS app development.
Apple in this case would be better off emulating Count Orlok for pursuing the underside of the naked and the dead.
Dude. He published the app. Hacking around to find security flaws is an admirable thing, so long as you don’t endanger the users.
If I’d downloaded that “InstaStock” app, I’d want to sue him right about now.
——RM
And it’s not only that he published the app, the PUBLICIZED what it can do. Very stupid move.
Can’t have it both ways. If you are to find malware to prevent harm to Apple users, but design malware or spyware for your own profit, sorry, you are out and legal called to make sure the hammer comes down hard.
Some times the smart ones are the dumbest of them all.
If he were doing this for profit there wouldnn’t be a story because he’d silently be planting his trojans and cleaning out unsuspecting users lol.
Without a proof of concept its all just unproven theory.
You can’t expect a security researcher to “follow rules”. It kind of goes against the job description hehe
How many people used that same thinking to justify what they had done. “you can’t expect a “. ” to follow the rules.. Bla bla bla.
And then the thinking that it’s okay to bend the rules for certain people and not others.
Everyone that produces apps is placed with the same rules, no bending no tearing no looking blindly the other way.
Hell dude, just through out the book and let anyone do anything at anytime.
Breakem loseem.
Exactly, ‘Rules are rules’, spot on.
‘Dude’ is 100% wrong. Real security researchers hack all the time — using private intranets. They don’t deceitfully spread their experiments into the wild or actively mislead the public user community to download malware.
Charlie distributed his malware through the Apple store. His legal situation would be different if he had distributed the software himself. Rules are there for a very good reason — if anything, our society has become soft about enforcing many of them. Otherwise “Dude” would know better.
Dude, you’re absolutely wrong.
IF he were actually in it to prove to Apple that there are holes in their system, he’d have submitted the app and then when Apple approved it he would have told Apple there’s malware in there — and asked them to please pull it. At the same time he would have delineated how the malware operated and how he got it through the system undetected.
Then — IF Apple ignored his statements (either didn’t pull the app or didn’t even attempt to fix the security flaw — he could have gone public with it 60 to 90 days later. (i.e., give Apple time to act then announce publicly if Apple does not act)
His announcing it to the world first proves he is not in it to make Apple’s iOS better. He is in it to make himself look better. That is all.
Apple absolutely did the right thing.
If apple hired him to do such things, then yes, they should have kept him. Legally, and ethically, he broke the rules. Goodbye Charlie.
Look, the guy broke the rules. Apple simply cannot allow him to turn the App Store into his own experimentation lab. Others would clearly follow suit and the App Store would be ruined.
He’s a punk hacker who thinks so highly of himself that, in his own mind, he’s above Apple’s rules. Apple doesn’t play those games.
Apple was within its rights to boot him, but he is not a “punk hacker.” That implies a script kiddie who just copies other’s discoveries to create a new hack, whereas Miller seems to come up with them on his own. He may think too highly of himself, but he’s earned the reputation he has.
“Bust a deal, spin the wheel”
Rude?
What does that baking a potentially malicious exploit into your app under false pretenses make you?
Here’s a tip: notify Apple of the exploit beforehand and don’t abuse the approval system to serve the same ends. I don’t know what you thought was going to happen.
It is entirely possible to help Apple “secure their products” without being obnoxious.
So trusting Apple to provide a secure iPhone is out the window. Any other flaws Charlie may find is also gone. Get ready for our iPhone’s to become useless after installing an Apple approved app.
Your statement is so absurd that even you don’t believe it. Spare us.
Sorry, Charlie is not a one on a planet guy. It is in Apples best interest to have “Charlies” in House that are on their team. I don’t doubt that they do. And as usual, Apple does not advertise who works or what is behind the Cupertino walls until they are ready. We can only assume, and that is what we on the outside do best.
So, you’re totally cool with Miller publishing the infected app on the App Store and exposing millions of iPhone users to a security exploit. That’s just hunky-dory with you?
Or did you not think this through before you commented?
——RM
I’m cool with *Miller* doing this, because he’s demonstrated the exploit is not merely proof-of-concept AND reported it (though it enters the gray zone because he didn’t notify Apple of it before full public disclosure). Miller himself isn’t exposing iPhone users to the exploit, the exploit is already there! And if he discovered it, then it’s possible someone else already has too, and other apps by true criminals and black hats might already be in the app store.
The app was only published to prove the system was flawed; it was then publicly announced and respectfully pulled. Now what other hackers have already published apps that have even worse intentions? I don’t know. Neither does Apple until someone publically announced they have published a harmful app.
No, the app was only published as part of a scheme to make Miller look good. If it were to prove that the system (publishing system and a security hole) was flawed then he would not have announced it this way.
Come on, Apple. Didn’t you learn anything from Vito Corleone? Keep your friends close…
If it kills you it will not give you a chance to become strong. The dude purposely tried to kill.
do cereal hackers eat chop suey…?
No, Frosted Flakes
Listen all he wants is to be named and get credit for anything he does, he’s a media whore.
Now if his intent was to really help he wouldn’t have broken the Rules in the first place.
Plain and simple, why bend the rules, you break then no matter what you do your out.
This guy has done more harm then good, he has a pattern of trying to ride Apples back for attention. Plain and simple, he agreed to the rules of the app store and broke them.
You can argue to your blue in the face, he broke the rules made a app and put it online to collect information without telling Apple first of the hidden agenda of data collection it he was doing, and all in the name of research.
Miller might be good at exploits, but his pattern shows a very different story in helping to rid bugs.
You’re arresting me for bringing a bomb on the plane?! But I had no intention of and no way to detonate the stupid thing, you dumb arses! I just wanted to prove that there are security flaws! Man, you guys just don’t get it. I was trying to help you!
^^^ This is why we need a rep system for comments on this site. Dead on.
——RM
Good try but not quite: it’s like bringing a bomb on the plane but having a payload consisting of a firecracker. Then calling up airport security and telling them how you got it on board so it won’t happen again, with a real bomb (assuming they plug the hole).
And, finally, calling the press about it and showing off to your buddies at the security conference next week. This last part is pure ego on Miller’s part but I’m ok with that – Apple’s bug has a price – Apple gets publically embarrassed, Miller’s ego gets stroked. And nobody got hurt, when they easily could have.
Apple has really screwed up by yanking the guy’s access – this shows really poor judgement, pettiness. I doubt Jobs would have done that – he got the big picture – security bugs are bad, and this one is really bad.
No, Apple hasn’t screwed up. What will this guy publish next time? A To Do list app which secretly installs a trojan onto your iPhone and Mac that emails all of your passwords to his server? And then publishes the list of users compromised?
The guy’s a loose cannon, and Apple had to stop his access to the App Store before he caused some real trouble. Maybe he didn’t have any intentions on doing something evil with his app, but someone else could download and reverse engineer it pretty easily.
Of course the guy is a loose cannon, but he is an unloaded loose cannon made out of styrofoam.
Remember that Apple has all kinds of security researchers on staff who messed up – missed this.
The are real cannons out there, loaded, doing real targeted damage, working in parallel.
Charlie Miller – More interested in helping keep systems secure, or gaining publicity for himself? You make the call!
I would say both. You have to “advertise”.
+1. It’s hardly an either-or question.
You don’t warn someone that their house is a fire hazard by setting it on fire. There were much better ways to do what Miller did.
——RM
No way to know if he did more harm than good as there are smarter programmers out there looking to do worse things and some have done so.
My bet is the NSA and Chinese government hackers have dozens of holes they’ve found, but they keep their mouths shut so they can secretly use those iOS and Mac OSX holes.
“Miller told The Reg. ‘It’s going to hinder my ability to help them secure their products.’”
Next Step: (no pun intended) Fill out a job application at One Infinite Loop.
If you want to be known you have to step out of the crowd.
Releasing an exploit into the wild at a hackers conference, should be an incitement to terrorism. End of.
I couldn’t give a rat’s ass whether ‘this is the way these things are done’. The hacker is effectively saying:
“it’s not my fault that others will take what I have shown and create real, damaging exploits, it’s your fault for not correcting your code, adhering to some internal timetable I’ve just made up.”
They are saying (to Apple in this case) “you will correct this code according to my timescale, not yours – do as you are told.”
I can understand Apple’s reaction in this case.
If the hacker informs Apple, and then does nothing else, the result is that the exploit gets patched eventually.
If the hacker informs Apple, and then released the exploit soon after, the result is the hacker gets some publicity, we get hacked, and the expiloit gets patched eventually.
Hackers are childish, take their ‘jobs’ far too seriously, do this to massage their own egos and need to grow up.
“Terrorism”!!?? Give me a fucking break. That word has become so overused in American culture it’s lost any meaning (“judicial terrorism” was one ridiculous statement a few years ago to describe the court order permitting Terri Schiavo to die).
I ignored the rest of your comment based solely on your overly-emotional reaction.
Apple should hire him, and other hackers, to continually test their systems. That is, if they don’t already…
All over the BBC News page now. A response from Apple would be nice.
Apple did respond. They fired the guy from the Developer Program.
Sorry, but who gives a shit what the Beeb says. They frequently publish erroneous news items concerning tech subjects, they’re more concerned about sensationalising a subject, not really allowing the facts to get in the way of a news story. I’ve caught out TV and newspaper features getting their facts wrong on too many occasions to pay much attention to what the BBC’s news says about this.
If Charlie didn’t sneak around to get himself publicity, maybe the response would have been different. Seems like a publicity whore who could put his talent to more productive use.
‘It’s going to hinder my ability to help them secure their products.’”
That’s a threat plain and simple.
Tar and feather ALL hackers and drive them out the village!
I think Charlie is cool.
He helped prove that iOS is just as flawed as any other OS out there.
People are stupid to buy into a closed OS that doesn’t have thousands of Charlie’s examining the code for dangerous exploits every day.
Take it from me. Google by far has the more secure OS on the planet for there are more programers looking to see how it can be improved.
It is sad, but Apple users have a false sense of security and generally no clue how the iPhone really works.
Last report I read (about 60 days ago) cataloged that of the 27 major security interfaces able to be supported for remote corporate email, the iPhone supports 27. The Android phones support differing amounts depending upon the Android iteration, but the highest number supported in any currently shipping Android build is 7.
How does that make Android the more secure OS?
Android is indeed highly secure – I especially like the way that anybody can post code to the Android Marketplace without any checks of any sort. And the fact that the malware authors have done so many times.
Pay no attention to the fact that the code shipped is a private, non standard, generally never upgraded fork that nobody in the open source world will fully see. It sure is wonderful that high speed photocopiers are widely available.
Apple should hire him.