Don't shoot the weatherperson...
...unless you want to get wet!
Charlie Miller, the serial hacker who has exposed more than a dozen critical vulnerabilities in Apple's Mac and mobile platforms, was kicked out of the company's iOS developer program after publishing an application that demonstrated a serious new bug in iPhones and iPads. Miller's InstaStock app, which was accepted into the …
So he finds a flaw - commendable
Then he puts that flaw into an app and lets it be sold for 2 months.
And then he wonders why Apple, a company not known for taking a joke, canned his developer access?
He either needs to be saying he was trying to expose Apples weak app store application process (if that was the reason) and take the hit or admit that he really messed up.
"And then he wonders why Apple, a company not known for *taking security seriously*, canned his developer access?"
FTFY.
And from the story it doesn't sound like he's wondering why Apple canceled his access. I think he knows exactly why - their market depends heavily on a ludicrous mythology of "quality" and special exemption from the evils of the world, and they're much more interested in protecting that than they are in securing their products.
"So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year"
Thanks for exposing yourself as fanboi ;)
(I care about the facts, not the added emotions)
“Now I have to wait until it comes out and if they screwed it up no one will know until it's too late.”
Too late for what? He already announces the vulnerabilities without giving Apple a chance to fix them, so why shouldn't they pull his developer account? He doesn't care about the security, just the attention.
An interesting article about a developer finding exploits and the reaction of the company to public disclosure of the exploit. But what relevance does it have with Android?
"So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year."
Are you trying to start arguments?
"So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year."
So as per usual, Apple is playing catch up with something that Android has been doing for ages?
FLAME ON!
Strange, when I open the article I see there should be 11 comments, but none are visible yet.
Did they all mention the fallacy that is inherent in trying to justify Apple's behaviour and the existence of holes in iOS by pointing to android?
We all know by now that android is the touching stone for mobile OSs, no need to keep pointing to it when the article is about iOS or Apple touchiness.
http://www.forbes.com/sites/andygreenberg/2011/11/07/apple-exiles-a-security-researcher-from-its-developer-program-for-proof-of-concept-exploit-app/
Quote: "Miller has found and reported dozens of bugs to Apple in the last few years, and had alerted Apple to this latest flaw on October 14th."
There's nothing wrong with my critical thinking, thanks...
How long had Miller known about this bug? When did his app go live on the store? How long did it take for him to build his app and for it to progress through Apple's convoluted verification progress?
It's almost a certainty that he knew about the bug long ago, while iOS5 was still in beta, and yet he waited until 2 days after iOS5 had been released to the public before he informed Apple.
The man is, and always has been, a self-publicising arse. He has a track record of presenting his vulnerabilities such that Apple looks as bad as possible. However, this effort, deliberately placing malware on the app store and timing his report to Apple so that it was far too late for them to address his concerns, is low even by his standards.
Where does it say that he waited till 2 days after the release of iOS5 to tell Apple? It doesn't say when he told Apple but you seemed to think it is when he went public with the flaw.
Reading the article suggests to me that he had told Apple, and they didn't fix it, so he went public.
He says being booted off the dev programme means he can't find flaws before they are release to live suggests that he does indeed tell them before the code goes live.
Of course this is just my take one it, but I'm not looking through Apple shapes glasses....
But how3 many people were kicked out of the Android development for highlighting the flaw in Android???????
Any chance that crApple will be terminated from the iOS Developer Program for “hiding, misrepresenting and obscuring features, content, services and/or functionality”
The approval process should involve some vetting, and that vetting should have found the code that was doing stuff that wasn't described in the application. It's not like the real bad guys are going to say, 'Please approve our app which includes code that exploits a vulnerability in your OS.'
"So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year."
And iOS 4.3 has been around for... about a year, including beta. Just because Miller is the first to tell anyone about it doesn't mean the vulnerability wasn't there before.
strange lack of criticism of Apple from the fanbois... or hasn't the penny dropped yet that the walled garaden doesn't protect you from malware?
Here's an app, approved and accepted by Apple, that contains malware. Users are unaware of it, there's nothing to indicate that the app is malicious. If this can be done by a researcher, you can bet that it will be done by the less-savoury side of society.
The walled garden my look pretty, but, you've no idea what's going on under the surface. At least with Android you can protect yourself, all apps have to declare what permissions they need, and you can see those before installing them. Even then, you can always install a permissions blocker. Does the App Store show you what access an app needs? Can you install permissions blockers?
Bitch and moan about this guy being an attention seeker all you want, all he is doing is pointing out that Apple aren't perfect and the App Store approval process won't protect you.
Jon Oberheide did something similar on Android; look up Rootstrap and his fake "Twilight: Eclipse" wallpaper app. Google handled things very differently, though. Their security team is allowed to talk to outsiders, and seem genuinely interested in doing so. Warm fuzzies all around. I'm not saying the circumstances are exactly the same (we'll never know both sides of the story here, with Apple's history), but it's safe to say they don't care about spinning things to appeal to technical people that might actually follow such news.
And the Android permissions model is a great idea. Unfortunately, nothing prevents an app from unsafely exposing permission-guarded functionality through its own unsafe interfaces. This is a pretty big problem what with all the custom skins manufacturers add to their firmware in order to shine things up a bit.
"Here's an app, approved and accepted by Apple, that contains malware. Users are unaware of it, there's nothing to indicate that the app is malicious"
That important message does seem to be being lost in the discussion about what happened to the developer.
Whether Android users are really any safer from malicious apps I couldn't say. No one is perfect and there will likely always be some way to slip something through any approval process.
>> Even then, you can always install a permissions blocker. <<
only if you've rooted your phone, which most users haven't. Most of them don't know what that means....
Tbh I'm getting a bit sick of moaning about this, but just to be clear, the permissions system on Android provides very little security unless you just don't install apps. Nearly every app I've looked at has wanted permissions that don't seem relevant to the job it's doing. How many people just click install? I don't, but that's why I've only got about 3 apps installed on my phone...
Holding up android as a way to manage permissions correctly is wrong. There are many threads on the google boards requesting permission control after app install, and many crap programmers moaning that that means they'd have to trap permission exceptions and it's not worth it....
@thesykes
I'd read this if I were you
http://blog.duosecurity.com/2011/09/android-vulnerabilities-and-source-barcelona/
And don't forget the HTC data logger
http://www.theregister.co.uk/2011/10/03/htc_android_security/
Don't worry though at the rate Android fixes reach handsets these should all be fixed soon....
"yes there is malware out there, yes there have been attacks. Doesn't matter."
Why does it not matter? Surely as the more popular mobile OS and with it's slow upgrade mechanism it matters more.
"Concentrate on the real problem. It is possible to plant malware in the App Store and there is noting you can do to stop it."
I am concentrating on the real problem. Yes it's a serious flaw in iOS and users are not protected against it. You seem to think Android protects you but as the links in my earlier post prove there is no protection against poor software.
Apple would have you believe that it isn't possible at all. It's hard to know if Miller told Apple first. In the past when he's done so Apple have ignored him. I think he knew what to expect here, but Apple have played right into his hands. banning his account for exposing a flaw shows how they take their reputation more seriously than security.
"[...] to help them secure their products." Is that the new "full diclosure" procedure - you upload an app, sell it for weeks, make a large number of devices vulnerable to the very flaw you're trying to "help" the vendor with...?
This guy might be taking the "black hat" motive a step too far.
I hope he gets sued by actual users of his trojan, too.
I always see companies act like kids when they have no idea what to do. Post a flaw and we will ban you.
Good for you apple. You just accomplished nothing.
This is the point at which anonymous should be doing something. OMG, I just pulled the rope. The curtain is opening.
As for Charlie Miller. To the torrents.