Apple Bans Security Researcher Charlie Miller For Exposing iOS Exploit


The latest wave in the infosec world is that Apple has banned the well known security researcher – Charlie Miller – from it’s developer program for exposing a new iOS exploit.

It’s not really the smartest move as I’m pretty sure anyone as smart as Charlie Miller still has plenty of options – use another person’s account, sign up another account with a different identity, hack the phone without the developer program access and so on..

Really it’s quite a harsh move from Apple and it’s not going to make them any friends in the security industry.

Apple has banned well-known security researcher Charlie Miller from its developer program, for creating an apparently benign iOS app that was actually designed to exploit a security flaw he had uncovered in the firmware.

Within hours of talking about the exploit with Forbes’ security reporter Andy Greenberg, who published the details, Miller received an email from Apple: “This letter serves as notice of termination of the iOS Developer Program License Agreement … between you and Apple. Effective immediately.”

Based on Greenberg’s follow-up story, Apple was clearly within its rights to do so. Miller created a proof-of-concept application to demonstrate the security flaw and how it could be exploited by malicious code. He then hid it inside an apparently legitimate stock ticker program, an action that, according to Apple, “violated the developer agreement that forbid[s] him to ‘hide, misrepresent or obscure’ any part of his app,” Greenberg wrote.

He quoted Miller, who works for security consultancy Acuvant, “I’m mad. I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder.”

In a way though, you have to agree that Miller did violate the very specific developer program agreement by hiding the PoC inside a legitimate application. That probably wasn’t his smartest idea, but then again it’s helping Apple and he’s not doing it in a malicious way to infect people – he’s doing it as a security researcher.

Apple should be more proactive on working with people like this, people who are actually fixing bugs in their products for free and improving the user experience.

It’s the way Apple operates though, secretive, exclusive, domineering etc. If you don’t do things their way, screw you.


Miller, a former National Security Agency staffer, is a well-known “white hat” hacker (he made Network World’s recent list of “Security All Stars”), with expertise in Apple’s Mac OS X and iOS platforms, including the Safari browser, and in Android. Miller “has found and reported dozens of bugs to Apple in the last few years,” Greenberg noted. Miller reported the latest one barely three weeks ago, and it was Greenberg’s public account of it yesterday, in advance of a planned public presentation by Miller next week, that got the researcher kicked out of the developer program.

The vulnerability is a fascinating exercise in information security sleuthing. Miller uncovered a flaw introduced in Apple’s restrictions on code signing on iOS devices. Code signing is a process by which only Apple-approved commands run in device memory, according to Greenberg’s account.

Miller began to suspect a flaw when Apple released iOS 4.3 in March. He realized that to boost the speed of the mobile Safari browser, Apple for the first time had allowed javascript code from a website to run at a deeper level in memory. This entailed creating a security exception, allowing the browser to run unapproved code. According to Greenberg’s story, Apple created other security restrictions to block untrusted websites from exploiting this exception, so that only the browser could make use of it.

Miller wasn’t the only one to notice that Apple had done something different with Safari in iOS 4.3, but many didn’t understand what was actually happening. Various news sites and bloggers claimed that Web apps running outside of Safari, and its new Nitro javascript engine, were slower. Some suggested that Apple was deliberately slowing them down to make Web apps less attractive than native ones.

The way in which Miller uncovered the flaw once again shows his technical brilliance – something which Apple really should be harnessing rather than turning away.

A lot of people noticed changes with iOS 4.3, but couldn’t actually figure out what was going on. Well that’s what we know in the public realm anyway, no doubt the bad guys had their eyes on it and were digging in with much more malicious exploits.

It basically seems like a way to bypass any kind of code validation by Apple and execute arbitrary code from an attack server – dangerous indeed.

Source: Network World

Posted in: Apple, Exploits/Vulnerabilities, Legal Issues

, , , , ,


Latest Posts:


Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc


Comments are closed.