Apple banishes developer who points out security flaw

[HansTWN]

This really belongs in the Apple section as a warning to those who believe in the total security of iOS, but I would be eaten alive. So I am providing this info to you guys only.

http://sg.finance.yahoo.com/news/App....html?x=0&.v=1

[murraypaul]

He was banned for submitting an app that exploited the flaw, not for pointing it out.

Quote:

He proved his theory by building a stock-market monitoring tool called InstaStock, which connected to a server he controlled once it was installed on an iPhone or iPad. He was then effectively able to gain complete control of am infected device. Miller posted a YouTube video of the technique: (http://www.youtube.com/watch?v=ynTtuwQYNmk)

He told Reuters on Monday that several hundred Apple customers had downloaded the free app and that it had connected to his server, but said he had not installed any other software on their devices.

[...]

"Apple has good reason to believe that you violated (the iOS developer agreement) by intentionally submitting an App that behaves in a manner different from its intended use," the email said.

[HansTWN]

Quote:

Originally Posted by murraypaul

He was banned for submitting an app that exploited the flaw, not for pointing it out.

He made an app to prove the fact that the flaw could be exploited and was very open about that from the beginning. It was the same thing as inspectors getting a dummy bomb on an airplane.

Point being Apple should thank him for helping them improve their products. Other companies hold contests and pay people to fool their security systems.

[murraypaul]

Quote:

Originally Posted by HansTWN

He made an app to prove the fact that the flaw could be exploited and was very open about that from the beginning.

Really, the app description stated that there was a hidden trojan that would allow a remote exploit of users' devices? He told Apple that when he submitted the app?
That isn't what the story said: "He proved his theory by building a stock-market monitoring tool called InstaStock, which connected to a server he controlled once it was installed on an iPhone or iPad."
He wasn't open about it from the beginning, he was open about it after the fact.

Quote:

It was the same thing as inspectors getting a dummy bomb on an airplane.

But it wasn't a dummy bomb, it was a genuine bomb, he just didn't explode it.

Quote:

Point being Apple should thank him for helping them improve their products. Other companies hold contests and pay people to fool their security systems.

And had he just notified the problem to Apple and given them time to fix it, I'm sure they wouldn't have kicked him out.

1. He knowingly uploaded software with hidden functionality which hijacked users' devices.
2. He did not disclose that the software has that functionality to Apple or to the users that downloaded it.
3. That is a violation of the TOS.
Do you disagree with any of those statements?

[ilovejedd]

Quote:

Originally Posted by murraypaul

But it wasn't a dummy bomb, it was a genuine bomb, he just didn't explode it.

Unfortunately, this. Normally, I think most security researchers tend to inform the company first and only after they don't receive a reply that the company is trying to fix the problem do they make their findings public. Of course, he couldn't have known that his app would pass the app review process unless he submits it and I reckon that was as much part of his test as the actual exploit.