back to article Apple expels serial hacker for publishing iPhone exploit

Charlie Miller, the serial hacker who has exposed more than a dozen critical vulnerabilities in Apple's Mac and mobile platforms, was kicked out of the company's iOS developer program after publishing an application that demonstrated a serious new bug in iPhones and iPads. Miller's InstaStock app, which was accepted into the …

COMMENTS

This topic is closed for new posts.
  1. metaspective
    FAIL

    Don't shoot the weatherperson...

    ...unless you want to get wet!

  2. Anonymous Coward
    Anonymous Coward

    seems Apple can't take criticism. Oh dear.

    1. L1feless

      perhaps I was wrong...

      Maybe the Jobs ignorance will live on after his death....what a shame.

  3. BristolBachelor Gold badge

    Apple notified first

    I read elsewhere that he only uploaded the app to the app store after he notified Apple and they failed to acknowledge the problem (or fix it).

  4. buxtonmarauder
    Black Helicopters

    If Apple had any brains..

    ..they would hire this guy and make the usual PR noise about it..

  5. Tchou
    Pint

    Haha!

    Haha!

    Nothing more nothing less.

    Ho, and i'll drink to that.

  6. Gordon 10

    Reasonable disclosure

    Did he tell Apple first?

    If not he's just a publicity seeking tosser and Apple are in the right.

    If he did then shame on Apple.

  7. Iceman
    Devil

    This will be a long thread :-)

  8. Forget It
    Coffee/keyboard

    Some thing biblical here

    Apple expels ... hacker

    Walled garden

    Tree of knowledge

    Apple bitten

    Hacker/humanity expelled.

    right & wrong confused ... you do the math.

  9. AndrewG

    Poor Baby

    So he finds a flaw - commendable

    Then he puts that flaw into an app and lets it be sold for 2 months.

    And then he wonders why Apple, a company not known for taking a joke, canned his developer access?

    He either needs to be saying he was trying to expose Apples weak app store application process (if that was the reason) and take the hit or admit that he really messed up.

    1. Michael Wojcik Silver badge

      "And then he wonders why Apple, a company not known for *taking security seriously*, canned his developer access?"

      FTFY.

      And from the story it doesn't sound like he's wondering why Apple canceled his access. I think he knows exactly why - their market depends heavily on a ludicrous mythology of "quality" and special exemption from the evils of the world, and they're much more interested in protecting that than they are in securing their products.

  10. Geoff Campbell Silver badge
    Pirate

    That's the trouble with Apple....

    ....no sense of humour. Boring buggers.

    GJC

  11. Version 1.0 Silver badge

    Give him a job

    It would have made more sense to give him a job fixing their products ... odd how quickly they react when this happens ... so I assume they'll have the bug fixed tomorrow eh?

  12. Captain Scarlet
    Holmes

    Omg I break the rules and they kick me out!

    It can't be me sitting here thinking wth was he thinking, of course they will tell you to leave as they only want smug people not saying "LOOK HERE A BUG!!"

    1. Captain Scarlet
      FAIL

      Already notified Apple

      Ok reading above he already notified Apple so I have to admit that my statement was based on I thought he hadn't notified them.

      So I fail I think

  13. petur
    FAIL

    Apple fanboi is hurt?

    "So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year"

    Thanks for exposing yourself as fanboi ;)

    (I care about the facts, not the added emotions)

  14. Anonymous Coward
    Anonymous Coward

    “Now I have to wait until it comes out and if they screwed it up no one will know until it's too late.”

    Too late for what? He already announces the vulnerabilities without giving Apple a chance to fix them, so why shouldn't they pull his developer account? He doesn't care about the security, just the attention.

  15. Steve Coburn

    An interesting article about a developer finding exploits and the reaction of the company to public disclosure of the exploit. But what relevance does it have with Android?

    "So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year."

    Are you trying to start arguments?

    1. Anonymous Coward
      Go

      Balanced?

      I wondered about that myself.

      Perhaps it's balanced reporting.

      Perhaps it's a way to stop an argument from flaring up in the comments between various flavours of zealot.

      Perhaps just drawing a comparison.

      Perhaps it's none of those things.

  16. Dan 55 Silver badge

    Um?

    Shouldn't Apple's review process have caught out this 'secret hack', or is it basically reduced to being picky about the UI and acting as Pornographer General?

  17. Mr Brush
    Trollface

    "So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year."

    So as per usual, Apple is playing catch up with something that Android has been doing for ages?

    FLAME ON!

    1. BristolBachelor Gold badge
      Coffee/keyboard

      <-- New keyboard please :)

    2. noboard
      FAIL

      Actually...

      When you've finished trying to be funny I think you'll find Android copied Apples patent of "Shit happens when shit happens", when they introduced that bug. So Apple thought of it aaaaaaaages ago, they just didn't want to add the feature to the early iPhones.

  18. Anonymous Coward
    WTF?

    11 comments> Where are they?

    Strange, when I open the article I see there should be 11 comments, but none are visible yet.

    Did they all mention the fallacy that is inherent in trying to justify Apple's behaviour and the existence of holes in iOS by pointing to android?

    We all know by now that android is the touching stone for mobile OSs, no need to keep pointing to it when the article is about iOS or Apple touchiness.

    1. Dave 142

      I think that point was there to try and head off a load of pointless bragging from Fandroids.

  19. jubtastic1
    FAIL

    Doh

    He published malware onto the appstore, which has almost certainly been downloaded by users given its been up there for over a month, has been testing live payloads, and he's surprised they pulled his account?

    Critical thinking fail.

    1. technome
      FAIL

      Original article on forbes...

      http://www.forbes.com/sites/andygreenberg/2011/11/07/apple-exiles-a-security-researcher-from-its-developer-program-for-proof-of-concept-exploit-app/

      Quote: "Miller has found and reported dozens of bugs to Apple in the last few years, and had alerted Apple to this latest flaw on October 14th."

      There's nothing wrong with my critical thinking, thanks...

  20. technome
    Devil

    The timing is everything in this story...

    How long had Miller known about this bug? When did his app go live on the store? How long did it take for him to build his app and for it to progress through Apple's convoluted verification progress?

    It's almost a certainty that he knew about the bug long ago, while iOS5 was still in beta, and yet he waited until 2 days after iOS5 had been released to the public before he informed Apple.

    The man is, and always has been, a self-publicising arse. He has a track record of presenting his vulnerabilities such that Apple looks as bad as possible. However, this effort, deliberately placing malware on the app store and timing his report to Apple so that it was far too late for them to address his concerns, is low even by his standards.

    1. PsychicMonkey
      Stop

      where?

      Where does it say that he waited till 2 days after the release of iOS5 to tell Apple? It doesn't say when he told Apple but you seemed to think it is when he went public with the flaw.

      Reading the article suggests to me that he had told Apple, and they didn't fix it, so he went public.

      He says being booted off the dev programme means he can't find flaws before they are release to live suggests that he does indeed tell them before the code goes live.

      Of course this is just my take one it, but I'm not looking through Apple shapes glasses....

  21. Field Marshal Von Krakenfart
    Big Brother

    First I am the Lord thy Apple, thou shalt not bear false (or true) witness against me.

    But how3 many people were kicked out of the Android development for highlighting the flaw in Android???????

    Any chance that crApple will be terminated from the iOS Developer Program for “hiding, misrepresenting and obscuring features, content, services and/or functionality”

    1. bean520
      Linux

      you, sir, just failed

      1) there is no being kicked out of android development - only the Marketplace

      2) Many have written malware exploiting android's (and the user's) weaknesses. Many (impossible to know if all) have been kicked out of the Marketplace

  22. Ralthor

    one wonders....

    .... if he notified apple about the exploit before publishing it?

    1. DZ-Jay

      Re: one wonders....

      He probably did. However, I very much doubt he also said, "oh and by the by, if you wanna check out the bug, just download my app from the PRODUCTION APP STORE and I'll hack your iPhone so you can see."

    2. technome

      Does one wonder?

      Well, wonder no more.

      He knew about the bug in March, developed an exploit and placed his malware on the App store by September, but did not inform Apple until October 14th.

      The man is an arse!

    3. Tom 13

      In some ways whether or not he did is irrelevant.

      The approval process should involve some vetting, and that vetting should have found the code that was doing stuff that wasn't described in the application. It's not like the real bad guys are going to say, 'Please approve our app which includes code that exploits a vulnerability in your OS.'

  23. Cuddles

    A title is optional

    "So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year."

    And iOS 4.3 has been around for... about a year, including beta. Just because Miller is the first to tell anyone about it doesn't mean the vulnerability wasn't there before.

  24. DeVino
    Happy

    No rough play !

    Love the "Now play nicely kids" comment in the last sentence of the article

  25. Giles Jones Gold badge

    Awww diddums. At times I feel these security researchers are doing it for their ego rather than the good of the companies they submit their bugs to.

    The feeling of power and being able to screw over big companies becomes too tempting for some of them.

  26. Anonymous Coward
    Holmes

    Job offer

    There's a rumour he's been offered a job my MS

    http://www.theverge.com/2011/11/8/2546435/researcher-who-exposed-an-ios-app-vulnerability-loses-his-developer

  27. Velv
    Gimp

    Canned his account! Seriously?

    You don't think he's got more than one developer account? Not exactly hard things to get.

    Apple prove once again that their PR people have no clue how to deal with anyone who falls outside their Fanbois vision

  28. thesykes

    strange lack of criticism of Apple from the fanbois... or hasn't the penny dropped yet that the walled garaden doesn't protect you from malware?

    Here's an app, approved and accepted by Apple, that contains malware. Users are unaware of it, there's nothing to indicate that the app is malicious. If this can be done by a researcher, you can bet that it will be done by the less-savoury side of society.

    The walled garden my look pretty, but, you've no idea what's going on under the surface. At least with Android you can protect yourself, all apps have to declare what permissions they need, and you can see those before installing them. Even then, you can always install a permissions blocker. Does the App Store show you what access an app needs? Can you install permissions blockers?

    Bitch and moan about this guy being an attention seeker all you want, all he is doing is pointing out that Apple aren't perfect and the App Store approval process won't protect you.

    1. Anonymous Coward
      Anonymous Coward

      Jon Oberheide did something similar on Android; look up Rootstrap and his fake "Twilight: Eclipse" wallpaper app. Google handled things very differently, though. Their security team is allowed to talk to outsiders, and seem genuinely interested in doing so. Warm fuzzies all around. I'm not saying the circumstances are exactly the same (we'll never know both sides of the story here, with Apple's history), but it's safe to say they don't care about spinning things to appeal to technical people that might actually follow such news.

      And the Android permissions model is a great idea. Unfortunately, nothing prevents an app from unsafely exposing permission-guarded functionality through its own unsafe interfaces. This is a pretty big problem what with all the custom skins manufacturers add to their firmware in order to shine things up a bit.

    2. Jason Bloomberg Silver badge
      Alert

      Bottom line

      "Here's an app, approved and accepted by Apple, that contains malware. Users are unaware of it, there's nothing to indicate that the app is malicious"

      That important message does seem to be being lost in the discussion about what happened to the developer.

      Whether Android users are really any safer from malicious apps I couldn't say. No one is perfect and there will likely always be some way to slip something through any approval process.

    3. sabroni Silver badge

      @thesykes, 13:21

      >> Even then, you can always install a permissions blocker. <<

      only if you've rooted your phone, which most users haven't. Most of them don't know what that means....

      Tbh I'm getting a bit sick of moaning about this, but just to be clear, the permissions system on Android provides very little security unless you just don't install apps. Nearly every app I've looked at has wanted permissions that don't seem relevant to the job it's doing. How many people just click install? I don't, but that's why I've only got about 3 apps installed on my phone...

      Holding up android as a way to manage permissions correctly is wrong. There are many threads on the google boards requesting permission control after app install, and many crap programmers moaning that that means they'd have to trap permission exceptions and it's not worth it....

      1. Keep Refrigerated

        LBE Privacy Guard

        That is all.

    4. Markl2011
      FAIL

      @thesykes

      I'd read this if I were you

      http://blog.duosecurity.com/2011/09/android-vulnerabilities-and-source-barcelona/

      And don't forget the HTC data logger

      http://www.theregister.co.uk/2011/10/03/htc_android_security/

      Don't worry though at the rate Android fixes reach handsets these should all be fixed soon....

      1. thesykes

        this isn't about Android vulnerabilities though.No, it's not perfect, yes there is malware out there, yes there have been attacks. Doesn't matter.

        Concentrate on the real problem. It is possible to plant malware in the App Store and there is noting you can do to stop it.

        1. Markl2011

          "yes there is malware out there, yes there have been attacks. Doesn't matter."

          Why does it not matter? Surely as the more popular mobile OS and with it's slow upgrade mechanism it matters more.

          "Concentrate on the real problem. It is possible to plant malware in the App Store and there is noting you can do to stop it."

          I am concentrating on the real problem. Yes it's a serious flaw in iOS and users are not protected against it. You seem to think Android protects you but as the links in my earlier post prove there is no protection against poor software.

  29. windywoo
    Alert

    The difference between this and android.

    Apple would have you believe that it isn't possible at all. It's hard to know if Miller told Apple first. In the past when he's done so Apple have ignored him. I think he knew what to expect here, but Apple have played right into his hands. banning his account for exposing a flaw shows how they take their reputation more seriously than security.

  30. Frank Bitterlich
    Mushroom

    Does not compute...

    "[...] to help them secure their products." Is that the new "full diclosure" procedure - you upload an app, sell it for weeks, make a large number of devices vulnerable to the very flaw you're trying to "help" the vendor with...?

    This guy might be taking the "black hat" motive a step too far.

    I hope he gets sued by actual users of his trojan, too.

    1. JoshOvki
      WTF?

      users of his trojan?

      Lots of over whelming evidence that he used the app to exploit phones other than his test pieces. The app itself works well by the looks of things, it shows stock market info.

      Do you mean white/grey hat?

      (WTF? - Because fanbois don't know what to do now)

  31. sisk

    Normally I feel that Apple's in the wrong when they do these sorts of things, but not this time. I'd have dumped him out of the program to. Regardless of whether he informed Apple of the flaw beforehand or not that was a dick move on his part.

  32. R 16
    FAIL

    WOW - dummies

    I always see companies act like kids when they have no idea what to do. Post a flaw and we will ban you.

    Good for you apple. You just accomplished nothing.

    This is the point at which anonymous should be doing something. OMG, I just pulled the rope. The curtain is opening.

    As for Charlie Miller. To the torrents.

  33. Anonymous Coward
    Anonymous Coward

    Gild Cages

    Apple can't have the masses know that their Gilded Cages are not secure, the horror :-P

This topic is closed for new posts.

Other stories you might like