Apple shoots the messenger for discovering security loophole in iOS

BAM!! Apple is behaving in a strange way. Yes it is. Those who have heard the Charles Miller side of story would definitely agree. Charles Miller who? Okay lets revisit what has had happened.

Charles Miller, a computer security researcher with the consulting firm Accuvant LABS demonstrated that even after Apple’s high-fly statements about its App Store being completely safe, the App Store can actually be a safe haven for malicious apps thanks to a huge security loophole in there. Miller created an app called as InstaStocks and submitted it to the Apple App Store which in turn certified it in September 2011. After installing and running it on an iPhone for the very first time, InstaStocks runs pretty much the same way as expected, i.e it dishes out statistics and figures about the stock market. But after re-installing it the second time on the device, it doesn’t give you those ‘expected‘ stock market details. Instead it starts playing a YouTube video which wasn’t what the user had in mind.

YES! This  means that erroneous code did creep in which can control/perform various activities and processes on the iPhone without the user’s permission. By activities and processes, it may mean downloading the whole address book, i.e steal data, send text messages and even delete information – all without the users’ consent. And this is a certified app on the Apple App Store. OMG! In other words, Charles Miller exposed a very big security vulnerability.

And what did he get in return from Apple?  Banishment from Apple’s developer program, for one year!

“Apple has good reason to believe that you violated (the iOS developer agreement) by intentionally submitting an App that behaves in a manner different from its intended use” is Apple’s response to Charles Miller.

Miller tweeted:

OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!

Tsk, tsk!

Adds Miller:

You can imagine downloading a nice app like Angry Birds, but instead of just being Angry Birds, it actually could download and do anything it wants, and Apple would have no idea that had happened.

Apple, is this what you do to someone who tries to help you, maybe in a hard-hitting way? Don’t you hire his services and fix this bug or instead do you consider this inappropriate and snatch his developer access/expel him from the App Store? HOW LAME! Agreed that Charles Miller did violate the App store regulations by uploading a malicious app but is it that important to BANISH him or is the safety of the millions of iPhone users important? Wasn’t he trying to prove a point?

We occasionally do hear a lot of talk about how the Mac OS is more secure than Windows (namely) and other Operating Systems, how the iOS provides more user security features and control than Windows Phone 7? Really? After being proved by Miller, I do not agree. And neither a large chunk of people do. My bet.

In case one might tend to think about who exactly Charles Miller is, let me put together a couple of facts here.

  • In 2008, Charles Miller won a $10,000 cash prize at the hacker conference Pwn2Own in Vancouver Canada for being the first to find a critical bug in the ultrathin MacBook Air—deploying an exploit in 2 minutes.
  • In 2009, he won $5,000 for cracking Safari in under 10 seconds.
  • Again in 2009, Miller also demonstrated an SMS processing vulnerability that allowed for complete compromise of the Apple iPhone and denial-of-service attacks on other phones.

That said and done, now the question arises “What if Microsoft had done the same in such a situation!?“.

There would have been a hue and cry with plenty of blogs already talking about this and all the Microsoft-bashers would have sprung to life. On the other hand, this whole Apple saga has been a hush-hush affair – more or less.

Apple has some great products, a tremendous reputation and immense fan-following. Rather than expel the developer, maybe it should in fact   induct Charles Miller as a security researcher into its rolls; whether Miller accepts it or not is a different issue.

To all those iPhone users who happily flash their prized devices, think of SECURITY as your primary concern before visiting the App Store.

In Charles Miller’s own words: “First they give researcher’s access to developer programs, (although I paid for mine) then they kick them out…for doing research”.

Watch Miller!

 A classic case of ‘shooting the messenger’!

Posted by with Tags
Microsoft Student Partner | Computer Science graduate | Loves flirting with technology | Microsoft watcher | Syed Asrarullah lives on the web at @asrartheone.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + 9 =