After latest iPhone hack, Charlie Miller kicked out of iOS dev program

There’s bound to be security vulnerabilities on all platforms, no question. Admittedly Charlie Miller (somebody who’s dedicated a huge amount of time to finding shortfalls in iOS and Mac OS X) should have given Apple the opportunity to react prior to publicising the vulnerability, but their over-reaction serves to justify his actions. Keep in mind he has not published specifics of this existing vulnerability, but was punished by having his account banned – presumably for daring to make the company look bad (even if it was for the greater good).

This invariably serves to highlight the limitations of relying on a single provider for your entire ecosystem, top to bottom. In this case, the curated system has clearly failed, but fortunately it was only a test by a reputable security researcher. It probably wouldn’t hurt to display what resources or permissions apps require prior to download, ala Google’s Market, to inform the user and allow them to exercise their own judgement. … Unless they’re deemed to be incapable of their own semi-intelligent assessment without being intimidated.

If you then refer to the 5-8% of iPhones that are jailbroken, where users can then download applications from third-party repositories, then the drawcard of the ecosystem – the curated system, is no longer. These devices are as vulnerable (if not more) than comparable ones.

“To increase the speed of the phone’s browser, Miller noticed, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, he realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible.”

A bit of further reading about this year’s Pwn2Own hacking contest, in which Safari (both mobile and desktop) were hacked within seconds. Chrome was unable to be exploited: http://en.wikipedia.org/wiki/Pwn2Own#Contest_2011

After latest iPhone hack, Charlie Miller kicked out of iOS dev program | ZDNet

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s