Apple Punishes Researcher Charlie Miller For Finding Potential Security Flaw
In the cybersecurity world, most hackers fall into two categories. "Black hats" exploit flaws to cause chaos. "White hats" report flaws so they can be fixed.
Charlie Miller considers himself a white hat. A former security researcher for the National Security Agency, Miller has become famous in security circles for finding bugs in popular Apple products that could be exploited by hackers for malicious purposes.
But Apple said that while Miller was researching his latest discovery, he went too far.
He developed an application that he believed could download malware onto iPhones and iPads. To prove this, he disguised his app as a stock ticker program and got it approved for distribution in Apple's App Store.
Instead of thanking Miller for his work, Apple revoked his app developer license on Monday, saying it violated the developer agreement that forbid him to "hide, misrepresent or obscure" his app. He was also suspended for one year from Apple's developer program.
Miller said he was trying to demonstrate a flaw in Apple's process for reviewing new apps. If he hadn't introduced the app to the App store, no one would have believed that Apple would accept an app that could infect mobile devices, he said. Miller added that Apple overreacted.
"I'm helping them in many ways," Miller told the Huffington Post. "What they'e doing is making it harder for me to do that. I think it's an overreaction. No one was hurt by anything I did."
Apple did not return a request for comment.
Apple's decision to reprimand Miller comes after the company has tried to build closer relationships with security researchers. Before releasing its latest operating system, Lion OS X, this year, Apple invited security researchers to probe the system for flaws.
Some researchers say were surprised by Apple's decision to punish Miller after making the effort to work with security researchers.
"It doesn't make sense to me," said Roel Schouwenberg, a security researcher at Kaspersky Labs. "Apple has tried to reach out to the security community. This move seems really counterproductive."
Not everyone thinks Miller took the right approach, however.
Jonathan Zdziarski, an author of several books about iPhone software development, said he respects Miller's research but believes he should not have released his application in the App Store.
Zdziarski said Miller could have proved his point while making his app unavailable for download or by pulling his app from the store immediately after it was approved, "rather than give the some 100 million iOS users a chance to download and install this malware." Zdziarski said a hacker with bad intentions could have hijacked Miller's app to attack iPhone and iPad users.
"By allowing the application to remain in the App Store, Miller's good word is the only thing separating him from a common criminal, from Apple's perspective at least," Zdziarski said in an email.
In the last four years, Miller said he has reported more than 10 bugs to Apple. In July, Miller claimed to have found a new security flaw in Apple laptops that could allow hackers to ruin laptop batteries, infect them with malware or potentially cause them to overheat and catch fire. In 2009, he found a bug that allowed hackers to take control of an iPhone with a text-messaging attack. Apple seemed to appreciate his work, he said.
Miller's latest finding was notable because it involved Apple's iOS platform, which is considered to be more secure than mobile phones that run on Google's Android operating system. In June, the security firm Symantec said that Google's model for vetting apps on Android devices was "less rigorous and consequently, less secure" than Apple's iOS platform.
Miller, now a research consultant at Accuvant Labs, said he contacted Apple three weeks ago about the vulnerability, but did not tell the company about his disguised app, which had been available in the App Store since September. Miller said Apple has since removed his app, but that his findings exposed a weakness in Apple's App Store.
"Until they fix this flaw," Miller said, "you can't trust the App Store."