Apple Shoots the Messenger

Charlie Miller, the perennial winner of the annual Pwn2Own contest for hacking and compromising Apple software, found a serious security flaw in Apple’s App Store. Apple’s response was to kick Miller out of the Apple Developer program. Shooting the messenger doesn’t improve security or make the issue go away, so did Apple do the right thing?

It turns out that the answer is not a simple one. Apple didn’t suspend Miller from the Apple Developer program because he found a flaw. It suspended him because he violated the Apple Developer terms of service by intentionally uploading a deceptive app to the App Store, essentially to illustrate that it could be done.

The issues of security researcher ethics and responsible disclosure of discovered vulnerabilities is a hotly debated topic in information security. Vendors want to be notified privately and given time to investigate and develop a patch or solution before the flaw is disclosed publicly. However, vendors are often painfully slow to do so once the information about the flaw has been shared with them, which leads some researchers to “light a fire” under them by going public.

It is unknown whether Charlie Miller notified Apple of the security issue. If he did do so, we don’t know when. Charlie Miller is a respected security researcher, and arguably the leading expert on the security–or lack thereof–in Apple software, so it is easy to blame Apple in this case.

Stephen Cobb, a security evangelist with ESET, points out that Apple didn’t really have any choice in how it handled the incident. To ignore the breach of terms just because it was Charlie Miller could be seen as unfair, or set a bad precedent where every other smoking gun security researcher feels that it is OK to plant malicious apps to prove a point.

Ben Rothke, author of Computer Security: 20 Things Every Employee Should Know, feels differently, though. “What is quite disconcerting is Apples response. When someone calls you in the middle of the night to tell you that your house is on fire, you dont scream at them for waking you up.”

Andrew Storms, director of security operations for nCircle, says, “The bad news is that Apple just lost their best pen tester. Charlie Miller is absolutely the best researcher to help Apple improve the security of their products.”

Apple platforms and software have never been as impenetrable as Apple may lead people to believe. The success of Apple in smartphones and tablets, and the growing market share of Mac OS X mean that Apple has reached a critical mass that makes the company more attractive as a target for malware and other attacks.

Charlie Miller has been instrumental in debunking the myth that Apple systems are just inherently secure. Miller opened up a security Pandora’s Box for Apple, and Apple would probably like to pretend the issues don’t exist. But, Apple no longer has the luxury of relying on security by obscurity.

Rothke sums up, “Apples myopic response will certainly stoke the interest of vulnerability researches of many different hat colors. How can Apple start to quench those fires? Hiring Charlie Miller as head of information security is a great start.”