Apple kicks bug hunter out of its developer program

Share this article:
Renowned bug hunter Charlie Miller has been kicked out of Apple's iOS developer program after creating a proof-of-concept (PoC) app – and tricking Apple into approving it – that exploits a security flaw that could allow unapproved code to run on iPhones and iPads.

Miller, best known for his zero-day vulnerability discoveries in Apple products, found a way to plant a nefarious program in Apple's highly restrictive App Store.

He plans to reveal the method next week at the SysCan conference in Taiwan, according to Forbes, which first reported the news. His technique exploits a bug in Apple's iOS code-signing mechanism used to allow only company-approved commands to run on an iPhone or iPad.

To demonstrate the issue, Miller created a PoC app called “InstaStock,” which appears to be a benign stock market program, but is capable of communicating with a remote computer, downloading unapproved commands and harvesting information from a device. He then managed to trick Apple into approving the app for distribution in its official distribution platform, a move the company said violated its terms of service.

“First, they give researchers access to developer programs…then they kick them out...for doing research. Me angry,” Miller, principal research consultant at security firm Accuvant, tweeted on Monday. He later admitted to violating Apple's terms of service, but said he likely has done so in the past.

“So why boot me now?” he asked.

The flaw allows apps in the App Store to download and run new code, even if the code is not signed by Apple, Miller explained in a YouTube video demonstrating the bug.

“So you could imagine downloading a nice app, like Angry Birds, but instead of just being Angry Birds it actually can download and do anything it wants, and Apple would have no idea that happened,” Miller said in the video.

A spokesperson from Apple did not immediately respond when contacted by SCMagazineUS.com.

Share this article:

Sign up to our newsletters

More in News

Instagram iOS and Android apps vulnerable to session hijacking

Two researchers wrote about the Instagram app for iOS and Android is vulnerable to session hijacking because both send unsecured information through HTTP.

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.