Apple’s booted security researcher Charlie Miller out of its iOS developer program for revealing a security flaw in iPhones and iPads.
Miller discovered that it was possible to create an app for the App Store that passed all the company’s security checks – but which was nevertheless able to download illegitimate commands onto the device.
As a result, the app was able to access photos and contacts and even make the device vibrate or play sounds.
“The user doesn’t know anything’s going on, it just looks like a normal app,” he says. “I can grab any file I want – here is, for example, the address book.”
Miller had the InstaStock app, billed as a program to track stock prices in real time, accepted into the App Store in September. He says he needed to do that in order to demonstrate that it really did bypass the company’s security systems.
Miller posted a video on YouTube showing how it’s done, and warned Apple.
You might have expected Apple to bung a bottle of booze and a bunch of flowers Miller’s way – but no. Instead, the company pointed out that he was violating a clause forbidding him to ‘hide, misrepresent or obscure any features, content, services or functionality’.
As Miller says on Twitter, “OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!”
“First they give researchers access to developer programs (although I paid for mine), then they kick them out… for doing research. I thought they’d just remove the app and we’d still be friends.”
Miller’s been unearthing security flaws in Apple devices for years. From now on, he’ll be unable to do so until software is in the public domain, and potentially causing real-life problems.