What you download from Apple's app store may not be safe, and some downloaded apps could cause serious data loss, said a cyber security expert who was booted by Apple after he publicly revealed the flaw.
Charlie Miller, a highly regarded Apple security expert and researcher with Accuvant Labs, identified a bug in Apple's iPhones and iPads, which can let hackers build apps that secretly download and install programs to filch data, send text messages or destroy information.
Miller said he had built a prototype malicious program to test the flaw. But Apple terminated his iOS developer program license after he decided to submit the proof-of-concept exploit app to the App Store.
Apple sent an email to Miller Monday, saying that his rights to develop iOS software for iPhone and iPad had been revoked, and that the company won't distribute his programs through the App Store anymore.
Apple has good reason to believe that you violated (the iOS developer agreement) by intentionally submitting an App that behaves in a manner different from its intended use, said a copy of the e-mail obtained by sources.
We will deny your reapplication to the iOS Developer Program for at least a year, considering the nature of your acts.
Miller proved his exploit by building a stock-market monitoring tool, InstaStock, which was programmed to connect to his server once downloaded and installed on the iPhone or iPad. After being connected to his server, Miller was able to gain complete control of an infected device and download whatever program he wanted. He posted a YouTube video of the whole process.
He said Apple's App Store couldn't identify the malicious program, which easily cleared the security vetting process. There is no evidence yet whether hackers have exploited the vulnerability in Apple's iOS software, but Miller claimed his test proved that there could be real malware in the App Store, Reuters reported.
Until now you could just download everything from the app store and not worry about it being malicious. Now you have no idea what an app might do, Miller said.
On Monday, Miller said that the free app had been downloaded by many Apple customers and it had connected to his server. However, he said he did not install any other software on their devices.
Miller, who admitted that he had violated the Terms of Service of the iOS developers program, declined to comment on his termination, but he did express his reaction via Twitter. Me angry, he tweeted.
In the last few years, Miller has reported a number of bugs to Apple and had also alerted it to this latest flaw on Oct. 14. He said he was only trying to demonstrate a serious security issue with a harmless demo, and that the termination of his developer rights is heavy-handed and counterproductive.
I didn't have to report this bug. Some bad guy could have found it instead and developed real malware, he told Forbes.
In February, Apple itself invited security researchers to become part of its developer program to test its Lion operating system. Miller said the company went out of their way to let researchers in, and now they're kicking me out for doing research.
Leaving aside Miller's deliberate violation of the agreement for a moment, don't you think what Apple should have done instead was to immediately remove the app from the App Store, examine the flaw and if it's authentic, admit it and work with Miller to fix the issue in a future update?