HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Congratulations! You found an iOS security flaw!! You won a free ban from the developer program and the App Store! 
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Apple Kicks Developer That Found iOS Security Flaw
- Thread starter HardOCP News
- Start date
Knight_of_BAAWA
Gawd
- Joined
- Feb 2, 2005
- Messages
- 806
While I supposed it could be said that he violated Apple's TOS for developers, how the hell did the app make it through to the store in the first place? Are the app store "geniuses" that complacent? Have they too drunk the "It Just Works" kool-aid?
heatlesssun
Extremely [H]
- Joined
- Nov 5, 2005
- Messages
- 44,154
Playing Devil's Advocate, he did violate the App Store terms by knowingly submitting malware. But it's not like real malware authors would do that so he did have a valid reason for doing what he did and the man is a legitimate security expert.
Apple doesn't give a shit about security however and just sweeps everything they can under the rug so this is par for the course for them.
Apple doesn't give a shit about security however and just sweeps everything they can under the rug so this is par for the course for them.
^this
heatlesssun
Extremely [H]
- Joined
- Nov 5, 2005
- Messages
- 44,154
Agreed.
Not enough info on this one for me to make a call.
I can say what I think most people here expect from a security researcher who finds a serious Microsoft bug, though. SOP is usually to report the bug to Microsoft, and post publicly that it exists, without giving away an immediate proof-of-concept, except to them. The public posting is to put the public (and IT departments, developers, etc.) on notice, as well as make sure that Microsoft does due diligence on fixing the issue so it cannot be swept under the rug, with the general idea that if the issue is ignored, then and only then is concept code released.
The article doesn't give all of the details, but when news has made the ]H[ardForums in the past that some "security researcher" found a bug in Microsoft code, and just released it into the wild without informing Microsoft, or giving them any opportunity on to fix it, that person has usually been criticized as a douche for making things worse, not better. If this is what the guy did, he failed to follow best security practices regardless of what platform he found the issue on.
I can say what I think most people here expect from a security researcher who finds a serious Microsoft bug, though. SOP is usually to report the bug to Microsoft, and post publicly that it exists, without giving away an immediate proof-of-concept, except to them. The public posting is to put the public (and IT departments, developers, etc.) on notice, as well as make sure that Microsoft does due diligence on fixing the issue so it cannot be swept under the rug, with the general idea that if the issue is ignored, then and only then is concept code released.
The article doesn't give all of the details, but when news has made the ]H[ardForums in the past that some "security researcher" found a bug in Microsoft code, and just released it into the wild without informing Microsoft, or giving them any opportunity on to fix it, that person has usually been criticized as a douche for making things worse, not better. If this is what the guy did, he failed to follow best security practices regardless of what platform he found the issue on.
CoM is once again exhibiting negligence in their reporting of details - those pesky little fact based things that seem to get in the way of a sensational story.
Charlie Miller broke a cardinal rule of the White Hats - always notify the OS manufacturer before bringing to light a vulnerability.
Not only did he refrain from bringing the vulnerability to Apples attention before his very public display, but he also blatantly broke the rules associated with the Apple Developer Program. As a result he has been justly banned.
The manner in which he exposed the vulnerability proves his motives as less than ethical.
Charlie Miller broke a cardinal rule of the White Hats - always notify the OS manufacturer before bringing to light a vulnerability.
Not only did he refrain from bringing the vulnerability to Apples attention before his very public display, but he also blatantly broke the rules associated with the Apple Developer Program. As a result he has been justly banned.
The manner in which he exposed the vulnerability proves his motives as less than ethical.
SamuraiInBlack
Supreme [H]ardness
- Joined
- Oct 10, 2003
- Messages
- 5,771
And we can count on you to counteract it with your mindless drivel in defending a company that couldn't care less about you.
Supercharged_Z06
2[H]4U
- Joined
- Nov 13, 2006
- Messages
- 3,479
I don't hate Apple, I just despise their business model/execution in their walled garden.
Not to mention their hypocrisy. Many of their recent stories are bad enough to make Microsoft look honest.
The proper thing to do, as a White Hat, would be to inform Apple first to allow them to patch the flaw, THEN if they do nothing or are extremely slow to react, go to the press before the fix was in. After the fix is implemented, I would say it would be fair game for the dude to disclose the flaw to any press outlet he so wished. I would have expected any other company to have revoked the guy's developer account for what he did... he let a working exploit out into the wild before giving the company a chance to address the issue.
He's just an attention seeker, that's all. Did nothing to improve the security of all the users with jail broken iPhones he has now exposed to copy-cat exploits.
He's just an attention seeker, that's all. Did nothing to improve the security of all the users with jail broken iPhones he has now exposed to copy-cat exploits.
haysupimark
n00b
- Joined
- May 31, 2006
- Messages
- 46
Standard procedure upon identifying and being able to reproduce the flaw is to inform the vendor and work with them to close the vuln.
This guy didn't do that. All he did was point out that Apple's App Store submission process is flawed- which we knew- and did it like a dick.
You become trusted to work with vendors to fix their stuff as a White-Hat based off of your integrity and your actions, and by establishing yourself as an individual that can be trusted in that manner.
Long story short, this guy just put himself of a special kind of black list.
This guy didn't do that. All he did was point out that Apple's App Store submission process is flawed- which we knew- and did it like a dick.
You become trusted to work with vendors to fix their stuff as a White-Hat based off of your integrity and your actions, and by establishing yourself as an individual that can be trusted in that manner.
Long story short, this guy just put himself of a special kind of black list.
Just a counter point here, but if everyone knew that the submission process is flawed, then apple knew about it also. Isn't the next step to publicly embarrass them into fixing it, since they were ignoring it before?
I kind of thought that is how the process worked, you fix your known issues or somebody is going to tell the world.
I kind of thought that is how the process worked, you fix your known issues or somebody is going to tell the world.
GaryJohnson
[H]ard|Gawd
- Joined
- Feb 1, 2010
- Messages
- 1,053
If this guy's app was only "caught" because he pointed it out, how many other apps that exploit the same flaw haven't been caught?
Red Falcon
[H]ard DCOTM December 2023
- Joined
- May 7, 2007
- Messages
- 12,473
This. I am willing to bet that he was fed up with the way apple is run so he decided to take measures in to his own hands. I say, Good for him. The world needs more people like this guy. We are all taught to follow procedure and do what the fat cats tell us is right and if we dont then they shun us. I'm Sure apple already knew of the flaw but let it go for one reason or another. My guess it is a much more sinister reason than not but who really knows.
He submitted malware to the App Store, then publicly made Apple look bad for accepting it, all before notifying Apple of the vulnerability.
That's called biting the hand that feeds you, and it will get you kicked out of the house every time. I don't know why anyone would expect any company to respond differently.
That's called biting the hand that feeds you, and it will get you kicked out of the house every time. I don't know why anyone would expect any company to respond differently.
jojo69
[H]F Junkie
- Joined
- Sep 13, 2009
- Messages
- 11,269
weak
no logic is allowed on H when it comes to apple threads.
blackscreen
Limp Gawd
- Joined
- Nov 4, 2010
- Messages
- 249
Reality Distortion Field restored!
the topic it self just seems he did bit read it before main pageing it as what it says on H does not even say that he posted it on the ios store
what it should say is the so called white hat posted an bad app on the market and got banned for it with out reporting it to Apple
what it should say is the so called white hat posted an bad app on the market and got banned for it with out reporting it to Apple
Ditto
I had hoped that Apple would chill out a bit under new leadership.
The whole super secrecy, apple ghestapo, thing has been working for them -- well aside from a certain incident in San Francisco, still I had hoped things would lighten up just a little.
Corporations, as we do them in the US, are the anti-christ.
After all US law treats corporation as if they were a real person. We really need to fix our corporate laws. Apple's evilness is just one example of corporate abuse.
Red Falcon
[H]ard DCOTM December 2023
- Joined
- May 7, 2007
- Messages
- 12,473
Is it just me, or is everyone else starting to see all of the problems arising within Apple software after Jobs' death?
When he first left, Apple nearly went down the tube, then he came back and Apple did great. Now he's gone again, and Apple is having problems with security, software, stability, you name it, left and right.
When he first left, Apple nearly went down the tube, then he came back and Apple did great. Now he's gone again, and Apple is having problems with security, software, stability, you name it, left and right.
lilbabycat
2[H]4U
- Joined
- Jun 21, 2011
- Messages
- 3,810
Nope, the problems with recent products have been around for years now. They've just got a huge influence on the media to bury it. People claim that [H] is a bunch of Apple bashers, but the stories are usually unbiased, whereas on an "apple lover" site, you might never even hear about some of these things.
"Some people on the forums were having X issue " = apple fan site
"There is an ongoing thread of 200+ pages of people with X issue " = non apple fan site
Neither lie, one just has substantial more context, and outlines the severity of the situation.
Red Falcon
[H]ard DCOTM December 2023
- Joined
- May 7, 2007
- Messages
- 12,473
I guess Jobs isn't around to cover this crap up anymore, so it's a lot more open to the public then.
NorthernEurope
n00b
- Joined
- Mar 24, 2011
- Messages
- 41
So for an analogy:
You discover that your neighbour has forgotten to put a lock on the cellar door. Instead of telling him, "Hello dear neighbour, you have forgotten to put a lock on your basement door", you go in, rob him clean. Then, when the neighbour reports it to the police, the rest of the ppl in the area goes all hate on him for reporting it?
Get a grip ppl. This guy exploited a fault instead of telling Apple, and you blame them? Geez..
There isn't a single profit making company out there who loves you more than your money is worth to them. Apple get all this flak for trying to keep your smartphone as secure as possible, which I regard as a good thing.
And for this site becoming a Apple hating circle jerk site, I couldn't agree more. When was the last time you read any positive news comment about Apple? I don't give a shit about any company, I just buy what I find the most suited for my needs, but I start to wonder if the rest of the articles in other areas on this site is equally one sided.
You discover that your neighbour has forgotten to put a lock on the cellar door. Instead of telling him, "Hello dear neighbour, you have forgotten to put a lock on your basement door", you go in, rob him clean. Then, when the neighbour reports it to the police, the rest of the ppl in the area goes all hate on him for reporting it?
Get a grip ppl. This guy exploited a fault instead of telling Apple, and you blame them? Geez..
There isn't a single profit making company out there who loves you more than your money is worth to them. Apple get all this flak for trying to keep your smartphone as secure as possible, which I regard as a good thing.
And for this site becoming a Apple hating circle jerk site, I couldn't agree more. When was the last time you read any positive news comment about Apple? I don't give a shit about any company, I just buy what I find the most suited for my needs, but I start to wonder if the rest of the articles in other areas on this site is equally one sided.
Gorankar
[H]F Junkie
- Joined
- Jul 19, 2000
- Messages
- 11,111
The guy went about it wrong, and if Apple wishes to continue with it's broken app submission process, then people iStuff will have to learn to treat apps the same way as Android users do, with suspicion. Especially if it is not from a well established, trusted, developer.