It’s a sad tale, but it’s one we should probably tell you. Both so we can make fun of the security expert who had his developer account deleted, and so we can make sure you’re one-hundred percent aware of the situation this guy created, then bragged about, then decided to complain about publicly on Twitter.
This tale isn’t a story of a poor developer who was slighted by that big Draconian Apple; instead, it’s a story of someone doing something they knew was wrong, and then getting busted for it.
Charlie Miller, a security expert who found a loophole in iOS, has had his developer account annihilated by Apple because, in his words, “they give researcher’s access to developer programs, (although I paid for mine) then they kick them out.. for doing research.”
Apple has given researchers access to “research” accounts so they can test security issues, and other things like that, but it seems that Charlie Miller was rocking his exploits from a regular old developer account. That was probably his first mistake, and it’s probably why Apple immediately moved to ban the account.
In our words? Miller uploaded an exploit to the App Store, as a proof of concept, so he could, well, prove the concept. The app, InstaStock, would phone home to one of Miller’s servers, grab some code, and then run it on the user’s device. Yup, you read that right. He knowingly uploaded software that could compromise your device. Sure, it was a proof of concept, and there was probably never much of a likelihood that he would exploit your phone, but what was Apple supposed to do? Take his word for it?
Sections 3.2 and 6.1 of the iOS Developer Program License Agreement clearly prohibit the kind of behavior that Charlie Miller illustrated, so Apple kick-banned him in a way that would make that Banhammer guy smile a little bit.
In talking to CNET, Miller said:[quote]I don’t think they’ve ever done this to another researcher. Then again, no researcher has ever looked into the security of their App Store. And after this, I imagine no other ones ever will,” Miller said in an e-mail to CNET. “That is the really bad news from their decision.[/quote]
How is this bad news? Should Apple’s App Store be put through the security paces? Sure. But should “researchers” be allowed to exploit anything they feel like so they can talk about it and let others know? That’s the real question here. Perhaps the better approach would have been to call up Apple and tell them what he found. Turn over his code, and let them patch it, or figure out a solution.
This could be a case of a junior executive making a judgement call, and Miller’s account could be reinstated, but we won’t know until we hear back from Apple.