A man who created a bogus stock price tracker app for the iPhone that was in fact malware has been thrown out of Apple’s developer program. That would seem uncontroversial until you discover the app was designed to highlight a security flaw rather than cause damage or steal data.
Charlie Miller was told his right to create and upload apps had been terminated “effective immediately.”
If Miller’s name seems familiar, that may be because he’s a perennial winner at the PWN2OWN competition, held at the CanSecWest security event in Vancouver each year. Contestants can ask judges to visit a URL using various combinations of hardware, operating system and browser, with the latest publicly available security updates applied. Last year was a particularly bad day for Apple with a MacBook Pro running Safari the first computer to fall (Miller being the successful attacker) and the iPhone the first smartphone hacked.
According to Miller, his latest “attack” came after he spotted a security flaw in iOS. The flaw, unwittingly introduced in a recent iOS update, appeared to allow code to be added to an app after it had already been vetted by Apple and installed on devices.
To prove this was a genuine threat, Miller released an app named InstaStock in September. Using a post-approval update, he says he was in a position where he could have remotely downloaded contacts and pictures from phones running the app.
Miller says he reported the flaw to Apple in mid-October. He went public yesterday and was barred from the program a few hours later. He’s scheduled to unveil more details of the flaw at a security conference next week.
The BBC quotes one possible overenthusiastic analyst who calls the revelation the “the most significant threat yet to Apple’s app store economy.”
Meanwhile The Register has more details on the flaw, making the important point that it merely allows would-be attackers the same opportunities they’ve had on Android devices for some time.
(Image credit: Garret Gee)
Wednesday, November 9, 2011
Apple’s App store security breached via geeksaresexy.net