duh(1) Apple bans researcher for making security loopholes public

Apple platforms have mostly been less susceptible to security breaches, and are more trusted. That good name may now be tarnished by a recent stunt to uncover a flaw in the system which allows a virus loaded app to pass and made public to show that the vulnerability is real. Instead of acknowledging the issue, Apple's first priority was to remove the app and kick him out from the Apple developer's program.

duh(1) Apple bans researcher for making security loopholes public

The security of Apple’s approval system for third party apps was publicly put to question recently when a stock tracking app, InstaStock, written by a security researcher Charlie Miller, was discovered to have utilized a security loophole to demonstrate a weakness in Apple's iOS. While harmless by itself, the app will install a malware which is obtained when the user is connected to the Internet, giving ability to manipulate sensitive information on the device, as well as pushing bogus notifications.

While the app has been live since September, it was quickly removed when the security breach it was employing was discovered. The creators of the iOS were also swift to show their unhappiness by revoking Miller’s developer license as well.

The former NSA analyst had previously highlighted to Apple about a security flaw which existed since iOS 4.3 update last year, which allowed JavaScript code to have a higher influence with the device. Despite knowing the kind of reaction Apple will have, Miller proceeded to manifest this security flaw by stealthily inserting this app for cirulation in the AppSotre, stating that “without a real app in the App Store, people would say Apple wouldn’t approve an app that took advantage of this flaw.”

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check”, Miller mentions, “with this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

Miller was apparently unhappy with Apple’s decision to punish him, as he tweeted: “First they give researcher’s access to developer programs; (although I paid for mine) then they kick them… for doing research. Me angry.”

He has reasons to be upset, as he intended to reveal the security flaw at the SysCan conference in Taiwan due on 17 November. Like it or not, Miller has successfully put a dent in Apple’s reputation for creating well-protected platform, and while this may not balance out the mobile security playing field, it has done enough to show that lapse in vigilance can exist anywhere.

 

Source: Intomobile, Pocket-lint