Author Topic: Security Researcher Terminated by Apple Researcher says "That's so rude!"  (Read 2448 times)

Offline TwisTtheTwiTcH

  • Blogs & Media Editor-In-Chief
  • Acid Modder
  • *
  • Posts: 782
  • Post quality +12/-2
  • Gender: Male
  • Within my shadows there are no sins
Most people wouldn’t say this: “OMG, Apple just kicked me out of the iOS Developer program. That's so rude!" about being terminated from work. Charles Miller, a late security researcher that focused on Apple products clearly isn’t most people.

According to Apple, Miller violated sections 6.1 as well as 3.2 of the iOS Developer Program License Agreement. These sections cover hiding features from Apple whenever you submit software to them.

Miller’s recent discovery was a hole in the iOS security that allowed apps to snag unsigned code from third party servers, and then have it added to the app after it had been accepted into Apple’s app store.

The app Miller released to prove the concept was a generic stock checking application by the name of InstaStock. The app was able to connect to his own server and snag bits of code. Thus proving the hole in Apple’s security.

Miller commented to cNet “I don't think they've ever done this to another researcher. Then again, no researcher has ever looked into the security of their App Store. And after this, I imagine no other ones ever will, that is the really bad news from their decision."


Apple's Letter to Miller:
[spoiler]    From: appledevnotice@apple.com
    Subject: Notice of Termination
    Date: November 7, 2011 4:49:34 PM CST
    To: [redacted]

    Dear Charles Miller:

    This letter serves as notice of termination of the iOS Developer Program License Agreement (the "iDP Agreement") and the Registered Apple Developer Agreement (the "Registered Developer Agreement") between you and Apple, effective immediately.

    Pursuant to Section 3.2(f) of the iDP Agreement, you agreed that you would not "commit any act intended to interfere with the Apple Software or related services, the intent of this Agreement, or Apple's business practices including, but not limited to, taking actions that may hinder the performance or intended use of the App Store or the Program". Further, pursuant to Section 6.1 of the iDP Agreement, you further agree that "you will not attempt to hide, misrepresent or obscure any features, content, services or functionality in Your submitted Applications from Apple's review or otherwise hinder Apple from being able to fully review such Applications." Apple has good reason to believe that you violated this Section by intentionally submitting an App that behaves in a manner different from its intended use.

    Apple may terminate your status as a Registered Apple Developer at any time in its sole discretion and may terminate you upon notice under the iDP Agreement for dishonest and misleading acts relating to that agreement. We would like to remind you of your obligations with regard to all software and other confidential information that you obtained from Apple as a Registered Apple Developer and under the iDP Agreement. You must promptly cease all use of and destroy such materials and comply with all the other termination obligations set forth in Section 12.3 of the iDP Agreement and Section 8 of the Registered Developer Agreement.

    This letter is not intended to be a complete statement of the facts regarding this matter, and nothing in this letter should be construed as a waiver of any rights or remedies Apple may have, all of which are hereby reserved. Finally, please note that we will deny your reapplication to the iOS Developer Program for at least a year considering the nature of your acts.

    Sincerely, Apple Inc.
[/spoiler]

Miller's most noteworthy discovery curtsey of of cNet
[spoiler]"Miller has highlighted numerous security flaws within Apple software over the years, with one of his most high-profile discoveries being a hack for the mobile version of Safari in 2007, shortly after the first iPhone was released. Additionally, he's been a fixture at the Pwn2Own security contest to gain control of Apple's Mac OS X computers through the built-in Safari Web browser. More recently, Miller detailed that the low-level system software that ships on all of Apple's recent-model batteries was protected by the same two passwords, letting would-be attackers theoretically disable the batteries given access to an administrator account."[/spoiler]

-TwisTtheTwiTcH

Offline Kool1zero

  • Code Monkey
  • Registered BST
  • Motor Mouth
  • *
  • Posts: 99
  • Post quality +5/-0
  • Gender: Male
  • Computer, Electrical, and Network Engineering Stud
Re: Security Researcher Terminated by Apple Researcher says "That's so rude!"
« Reply #1 on: November 08, 2011, 10:05:31 AM »
thats hardcore stuff brah
Stolen from f00kz

 

SMF spam blocked by CleanTalk
SimplePortal 2.3.5 © 2008-2012, SimplePortal