Apple has banned well-known security researcher Charlie Miller from its developer program, for creating an apparently benign iOS app that was actually designed to exploit a security flaw he had uncovered in the firmware.
Within hours of talking about the exploit with Forbes' security reporter Andy Greenberg, who published the details, Miller received an email from Apple: "This letter serves as notice of termination of the iOS Developer Program License Agreement ... between you and Apple. Effective immediately."
Based on Greenberg's follow-up story, Apple was clearly within its rights to do so. Miller created a proof-of-concept application to demonstrate the security flaw and how it could be exploited by malicious code. He then hid it inside an apparently legitimate stock ticker program, an action that, according to Apple, "violated the developer agreement that forbid[s] him to 'hide, misrepresent or obscure' any part of his app," Greenberg wrote.
He quoted Miller, who works for security consultancy Acuvant, "I'm mad. I report bugs to them all the time. Being part of the developer program helps me do that. They're hurting themselves, and making my life harder."
Miller, a former National Security Agency staffer, is a well-known "white hat" hacker (he made Network World's recent list of "Security All Stars"), with expertise in Apple's Mac OS X and iOS platforms, including the Safari browser, and in Android. Miller "has found and reported dozens of bugs to Apple in the last few years," Greenberg noted. Miller reported the latest one barely three weeks ago, and it was Greenberg's public account of it yesterday, in advance of a planned public presentation by Miller next week, that got the researcher kicked out of the developer program.
The vulnerability is a fascinating exercise in information security sleuthing. Miller uncovered a flaw introduced in Apple's restrictions on code signing on iOS devices. Code signing is a process by which only Apple-approved commands run in device memory, according to Greenberg's account.
Most modern OSes do allow this, to optimize performance. Apple's iOS blocks it for Mobile Safari, to optimize security. "If you allow for pages of memory to be escalated from writable to executable ... then you are enabling the execution of unsigned native code. It breaks the chain of trust. Allowing remote code to execute locally turns every locally exploitable security flaw into a remotely exploitable one."
And that, apparently, is exactly what Miller was able to do. Miller not only realized Apple had created this exception for Mobile Safari, but he also uncovered what he called "this one weird little corner case" -- a bug -- where it was possible for another program besides the browser to also use it.
Miller hasn't yet publicly revealed what the bug is. But he created a booby-trapped app, called Instastock, to demonstrate it. The app passed Apple's code inspection and was published on the App Store. (Yesterday, after Greenberg's story went live, it was removed.) On the surface, the app just listed stock tickers. But underneath, it connected to a server in Miller's St. Louis home. The device could pull down from the server, and execute, whatever commands he coded. The accompanying video, made by Miller, shows the app reading files on an iPhone and making it vibrate.
"Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check," Miller says, reported in the Forbes story. "With this bug, you can't be assured of anything you download from the App Store behaving nicely."
Apple apparently has not yet said anything publicly about the exploit or its implications.
John Cox covers wireless networking and mobile computing for Network World. Twitter: http://twitter.com/johnwcoxnww Email: email@example.com Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed
Read more about anti-malware in Network World's Anti-malware section.
This story, "Apple bans security researcher for app exposing iOS flaw" was originally published by NetworkWorld.