Famed tech security researcher and hacker – NSA, Accuvant Labs – Charlie Miller has been blacklisted by Apple after he discovered, reported and then opened-up a potential vulnerability within iOS apps.
Exploiting the flaw – later patched by Apple – Miller created an app that made it possible to steal data from, and take control of, other iOS devices.
Further, Miller managed to get the app through the stringent Apple approval process and had the app posted on Apples App Store for a short while. In 2008 Miller won a $10,000 cash prize at the hacker conference Pwn2Own for being the first hacker to find a critical bug in the MacBook Air.
The next year, he won $5,000 for cracking Safari. In 2009 he also demonstrated an SMS processing vulnerability that allowed for complete compromise of the Apple iPhone and denial-of-service attacks on other phones
In 2011 he found a security hole in an iPhone’s or iPad’s security, whereby an application can contact a remote computer to download new unapproved software that can execute any command that could steal personal data or otherwise using iOS applications functions for malicious purposes. As a proof of concept, Miller created an application called Instastock that got approved by Apple’s App Store. He then informed Apple about the security hole, Apple then promptly expelled him from the App Store.
Miller’s InstaStock app – outwardly a share/stock market tracking app – was submitted to the App Store and contained no malignant code, it was capable of downloading and running additional unsigned code from a remote server once installed on a user’s device. The app demonstrated that, prior to the iOS 5.0.1 update, it was possible for iOS apps to access and execute rogue code from third party sources that it was impossible for Apple to verify.
In a demonstration of the app in a YouTube video – above, posted in September 2011 – Miller shows the ease with which his app abused Apples security flaws.
Though Apple credits Miller for highlighting the flaw, he received an email in early November giving notice of the termination of his iOS Developer Program License Agreement mere hours after making his findings known.
Miller has openly admitted that he violated the terms of the developer agreement and that Apple is entitled to terminate it. Miller argues though, that with his track record, Apple has been very short-sighted in his ditching. “I report bugs to them all the time,” he told Forbes. “Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder.”