Apple kicks bug hunter out of its developer program

Share this article:
Renowned bug hunter Charlie Miller has been kicked out of Apple's iOS developer program after creating a proof-of-concept (PoC) app – and tricking Apple into approving it – that exploits a security flaw that could allow unapproved code to run on iPhones and iPads.

Miller, best known for his zero-day vulnerability discoveries in Apple products, found a way to plant a nefarious program in Apple's highly restrictive App Store.

He plans to reveal the method next week at the SysCan conference in Taiwan, according to Forbes, which first reported the news. His technique exploits a bug in Apple's iOS code-signing mechanism used to allow only company-approved commands to run on an iPhone or iPad.

To demonstrate the issue, Miller created a PoC app called “InstaStock,” which appears to be a benign stock market program, but is capable of communicating with a remote computer, downloading unapproved commands and harvesting information from a device. He then managed to trick Apple into approving the app for distribution in its official distribution platform, a move the company said violated its terms of service.

“First, they give researchers access to developer programs…then they kick them out...for doing research. Me angry,” Miller, principal research consultant at security firm Accuvant, tweeted on Monday. He later admitted to violating Apple's terms of service, but said he likely has done so in the past.

“So why boot me now?” he asked.

The flaw allows apps in the App Store to download and run new code, even if the code is not signed by Apple, Miller explained in a YouTube video demonstrating the bug.

“So you could imagine downloading a nice app, like Angry Birds, but instead of just being Angry Birds it actually can download and do anything it wants, and Apple would have no idea that happened,” Miller said in the video.

A spokesperson from Apple did not immediately respond when contacted by SCMagazineUS.com.

Share this article:

Sign up to our newsletters

More in News

Oracle fixes 104 flaws in quarterly update, addresses Heartbleed bug

Oracle's Critical Patch Update (CPU) plugged 37 holes in the popular Java browser plug-in.

Two plead guilty for roles in separate Android app piracy groups

Two members of different Android app piracy groups pleaded guilty this week to conspiracy to commit criminal copyright infringement.

Study: Eighteen percent of online adults have had personal info stolen

About 18 percent of online adults have had personal information stolen, and more than 20 percent had an email or social networking account compromised.