A whistleblowing iOS app developer has seen his license revoked after revealing an Apple bug that could allow trojan software to infect iPhones and iPads. Coder Charlie Miller manages to get his test app – which uses a flaw in Apple’s code signing policies to subsequently contact a remote server and potentially allow a hacker to suck photos and contacts from the device, along other things – through Apple’s App Store approvals process, Forbes reports, but after revealing the issue was ejected from the iOS Developer Program.
The termination came just hours after Miller made the loophole public, and according to Apple is “effective immediately.” The company’s justification is the fact that the exploit was hidden inside a stock ticker app shell, and contravenes the section of the App Store agreement that forbids a developer from using such a system to “hide, misrepresent or obscure” software.
“I’m mad … I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder” Charlie Miller, security researcher
Miller apparently notified Apple of the security issue back on October 14; while Apple has not commented on the situation, the app he submitted – and had approved – has now been removed from the App Store. “This bug basically reduces the security of iOS to that of Android” Miller says, referring to Google’s hands-off approach with Android Market submissions.
In contrast, Apple has always made much of its stringent testing process, insisting that developers refine their code and toe the line with App Store standards if they want their apps to be distributed. Miller claims the loophole he took advantage of was a side-effect of Apple attempting to speed up browser JavaScript performance, as the company raced to brand its Safari mobile browser the fastest on the market.
Related Posts