Apple has kicked security researcher Charlie Miller out of the iOS Developer Program for pointing out and demonstrating a security flaw, reports CNET, which we shared with you in a post yesterday. Miller announced his expulsion via Twitter.
The security flaw that Miller discovered and pointed out could enable a malicious developer to create and app which could discretely exploit dangerous javascript code on the device without being detected by the user of Apple.
Miller shared a video demonstrating the vulnerability, and planned to show the problem in more detail at next week’s SysCan conference (while keeping the details under wraps to allow Apple to address the issue). Unfortunately, it appears that Apple does not value security research or respect researchers.
It is typical for security researchers to share their exploits with the company responsible for the flaw, Miller did by attempting to contact Apple about the situation. Perhaps the key issue is the fact that he shared the vulnerability on the wide open internet instead of keeping quiet about the issue until Apple could release a fix.
Apple, however, did not take kindly to Miller talking about the exploit on the internet, and canned his developer account for violations involved with submitting the app that showcased the flaw (which, by the way, Apple approved).
Still, it’s unsettling that Miller, who was pointing out an exploit in the name of research, and for Apple’s benefit, would get kicked out of the developer program for simply doing research. Charlie Miller was ultimately on Apple’s side.
Perhaps next time Miller won’t bother sharing his research with Apple, but will instead use it to take advantage of others and become a public menace? Well played, Apple, well played. Apple’s entire letter to Miller can be found below:
From: appledevnotice@apple.com
Subject: Notice of Termination
Date: November 7, 2011 4:49:34 PM CST
To: [redacted]Dear Charles Miller:
This letter serves as notice of termination of the iOS Developer Program License Agreement (the “iDP Agreement”) and the Registered Apple Developer Agreement (the “Registered Developer Agreement”) between you and Apple, effective immediately.
Pursuant to Section 3.2(f) of the iDP Agreement, you agreed that you would not “commit any act intended to interfere with the Apple Software or related services, the intent of this Agreement, or Apple’s business practices including, but not limited to, taking actions that may hinder the performance or intended use of the App Store or the Program”. Further, pursuant to Section 6.1 of the iDP Agreement, you further agree that “you will not attempt to hide, misrepresent or obscure any features, content, services or functionality in Your submitted Applications from Apple’s review or otherwise hinder Apple from being able to fully review such Applications.” Apple has good reason to believe that you violated this Section by intentionally submitting an App that behaves in a manner different from its intended use.
Apple may terminate your status as a Registered Apple Developer at any time in its sole discretion and may terminate you upon notice under the iDP Agreement for dishonest and misleading acts relating to that agreement. We would like to remind you of your obligations with regard to all software and other confidential information that you obtained from Apple as a Registered Apple Developer and under the iDP Agreement. You must promptly cease all use of and destroy such materials and comply with all the other termination obligations set forth in Section 12.3 of the iDP Agreement and Section 8 of the Registered Developer Agreement.
This letter is not intended to be a complete statement of the facts regarding this matter, and nothing in this letter should be construed as a waiver of any rights or remedies Apple may have, all of which are hereby reserved. Finally, please note that we will deny your reapplication to the iOS Developer Program for at least a year considering the nature of your acts.
Sincerely, Apple Inc.