X

Apple boots security guru who exposed iPhone exploit

A prominent security researcher has been ousted from Apple's development programs after publishing research that demonstrated vulnerabilities in the company's mobile app software.

Josh Lowensohn Former Senior Writer
Josh Lowensohn joined CNET in 2006 and now covers Apple. Before that, Josh wrote about everything from new Web start-ups, to remote-controlled robots that watch your house. Prior to joining CNET, Josh covered breaking video game news, as well as reviewing game software. His current console favorite is the Xbox 360.
Josh Lowensohn
4 min read
Apple

Security researcher Charlie Miller has been ejected from participating in Apple's developer programs, shortly after releasing early findings of a security hole in the company's iOS software.

Miller announced the news on Twitter this afternoon, saying "OMG, Apple just kicked me out of the iOS Developer program. That's so rude!"

Earlier today Forbes' Andy Greenberg published a story featuring Miller, who is a well-known security researcher who targets Apple's products and services. Miller's latest discovery was a security hole in iOS that let applications grab unsigned code from third-party servers that could be added to an app even after it has been approved and is live on Apple's App Store.

To test the feature, Miller released a generic stock-checking app called InstaStock that could tap into his own server and grab bits of code to show that it worked. As noted in our original coverage, such behavior is grounds for dismissal from Apple's developer program, as spelled out in Apple's App Store guidelines.

But as Apple notes in its letter to Miller (posted below), he violated sections 3.2 and 6.1 of Apple's iOS Developer Program License Agreement (a separate agreement), which respectively cover interfering with Apple's software and services, and hiding features from the company when submitting them.

"I don't think they've ever done this to another researcher. Then again, no researcher has ever looked into the security of their App Store. And after this, I imagine no other ones ever will," Miller said in an e-mail to CNET. "That is the really bad news from their decision."

Apple did not immediately respond to a request for comment on the matter.

Miller has highlighted numerous security flaws within Apple software over the years, with one of his most high-profile discoveries being a hack for the mobile version of Safari in 2007, shortly after the first iPhone was released. Additionally, he's been a fixture at the Pwn2Own security contest to gain control of Apple's Mac OS X computers through the built-in Safari Web browser. More recently, Miller detailed that the low-level system software that ships on all of Apple's recent-model batteries was protected by the same two passwords, letting would-be attackers theoretically disable the batteries given access to an administrator account.

In a tweet, Miller noted that he paid for his development accounts himself, despite the company doling out access to security researchers.

Below is Apple's letter to Miller:

From: appledevnotice@apple.com
Subject: Notice of Termination
Date: November 7, 2011 4:49:34 PM CST
To: [redacted]


Dear Charles Miller:


This letter serves as notice of termination of the iOS Developer Program License Agreement (the "iDP Agreement") and the Registered Apple Developer Agreement (the "Registered Developer Agreement") between you and Apple, effective immediately.


Pursuant to Section 3.2(f) of the iDP Agreement, you agreed that you would not "commit any act intended to interfere with the Apple Software or related services, the intent of this Agreement, or Apple's business practices including, but not limited to, taking actions that may hinder the performance or intended use of the App Store or the Program". Further, pursuant to Section 6.1 of the iDP Agreement, you further agree that "you will not attempt to hide, misrepresent or obscure any features, content, services or functionality in Your submitted Applications from Apple's review or otherwise hinder Apple from being able to fully review such Applications." Apple has good reason to believe that you violated this Section by intentionally submitting an App that behaves in a manner different from its intended use.


Apple may terminate your status as a Registered Apple Developer at any time in its sole discretion and may terminate you upon notice under the iDP Agreement for dishonest and misleading acts relating to that agreement. We would like to remind you of your obligations with regard to all software and other confidential information that you obtained from Apple as a Registered Apple Developer and under the iDP Agreement. You must promptly cease all use of and destroy such materials and comply with all the other termination obligations set forth in Section 12.3 of the iDP Agreement and Section 8 of the Registered Developer Agreement.


This letter is not intended to be a complete statement of the facts regarding this matter, and nothing in this letter should be construed as a waiver of any rights or remedies Apple may have, all of which are hereby reserved. Finally, please note that we will deny your reapplication to the iOS Developer Program for at least a year considering the nature of your acts.


Sincerely, Apple Inc.