Security researcher and ethical hacker Charlie Miller shattered the concept of iOS security yesterday (Nov. 7), revealing to the world that he'd gotten a malicious app approved by Apple and placed in the iTunes App Store.
For his trouble, Apple kicked Miller out of its app developer program. Miller's app is a "proof of concept" and does not harm the iPhone or iPad user, but it shows that Apple's famously stringent iOS security policies are not hacker-proof.
Miller developed InstaStock, an app billed as a program that tracks stock prices in real time. Apple accepted the app in September, and it was in the iTunes App Store until yesterday, just after Miller came clean about InstaStock's true capabilities. Apple promptly removed the app and sent Miller an email telling him he was no longer an approved Apple developer and would have to wait a year before reapplying.
A researcher with the security firm Accuvant, Miller had rigged the app to connect to a server in his St. Louis home and to receive commands to perform a number of devious tasks, including reading an iPhone's files, making a phone vibrate and remotely downloading the pictures and contacts stored on the device of a person running the app.
Miller, Apple's email said, had violated a clause in the license for app developers in which he agreed he would not "hide, misrepresent or obscure any features, content, services or functionality" of apps.
"In their defense, I did break the terms of service," Miller told SecurityNewsDaily.
He wrote on his Twitter page that he had contacted Apple about the security vulnerability three weeks ago, but did not tell them then about the devious app.
"But I didn't hurt anyone, no malicious code was ever put on anyone's phone, and I only did what I needed to do to demonstrate this was a real flaw that could find its way into the App Store," Miller said. "I'm a professional consultant and I was helping Apple secure their device for free on my own time, and they repay me by kicking me out of their program. It's mind-boggling."
Apple's App Store policy is especially strict. Each iOS app undergoes a full security review before it's accepted, and each app is digitally signed so that stock iPhones and iPads will accepts apps only from the iTunes App Store.
The proof-of-concept hack hidden inside Miller's InstaStock app was especially sly, and worked by bypassing security protections Apple builds into iOS devices — the iPhone, iPad and iPod Touch — meant to prevent any code from running on them without Apple's explicit permission. Miller explained in a YouTube video how his InstaStock app subverted the company's code-signing feature.
Miller has a history of exposing critical vulnerabilities in Apple products, including a flaw in Apple laptop batteries that a hacker could exploit to infect computers with malware or even make laptops explode. Being expelled from the developer program came as a shock, he said, and, from a security standpoint, he believes it's a poor move on Apple's part.
"It is bad for a couple of reasons," Miller told SecurityNewsDaily. "It makes it harder for me to do research on their products, which in the end helps them by making a more secure product. Additionally, I think it sends a bad message to other researchers. It tells them that if you research Apple products, don't be surprised if they respond by kicking you out of developer programs and maybe worse."
Attempts to reach Apple by email and phone for comment were unsuccessful.
Miller said he plans to rejoin the app developer program after his one-year suspension is up, but he says Apple may suffer by not being able to avail itself of his ethical hacking skills in the meantime.
"I will not be able to look at the beta version of iOS 5.0.1 to see if their patch really fixes the problem," Miller said. "I'll have to wait until everyone is downloading 5.0.1, at which point it will be too late if they don't fully patch it."