Apple lets security researcher into App Store, then throws toys out of cot

Filed Under: Apple, Featured, Malware, OS X, Vulnerability

Well known security researcher Charlie Miller has received mentions on Naked Security before.

For example, he presented research on the security (or otherwise) of the firmware built into Apple laptop batteries at this year's Black Hat conference.

And in 2009, he openly promoted the concept of No More Free Bugs at CanSecWest.

He hasn't stuck to his guns in respect of "no more free bugs", though - he recently published an openly accessible YouTube video in which he shows, in his own words, how to break "the App Store [anti-malware] model using a flaw in the iOS code signing enforcement mechanism."

Apple, which has been rather tardy in coming to the security party, wasn't best pleased. The company threw out Miller's proof-of-concept software, excommunicated him from the Apple developer programme and banned him from the App Store for at least a year, according to reports.

(The video didn't have an entirely negative outcome for Miller. He's now getting plenty of advance publicity for his research, which he'll be presenting at SyScan '11 in Taiwan next week.)

Incidentally, Miller's program isn't the only security-related software banned from the App Store.

You won't find Sophos's award-winning Macintosh anti-virus in the OS X App Store either. One of the reasons it's excluded is because it makes use of a kernel driver. That's the bit which slots into the operating system to provide not just malware detection, but malware prevention.

Without a kernel driver, there isn't a reliable way to block access to dodgy files before they can do harm. On the other hand, malware can do its dirty work without a kernel driver, or even a password to give it administrative powers.

Ironic, isn't it?

Malware can make it into the App Store, but a fit-for-purpose anti-malware program can't.

, , , , , , ,

You might like

6 Responses to Apple lets security researcher into App Store, then throws toys out of cot

  1. Richard · 1393 days ago

    Unfortunately, this seems like a typical response from irresponsible vendors. Someone discovers a security vulnerability in your product, and rather than trying to fix it, you punish the person who found it for breaking your rules.

    Because the bad guys are always going to be thwarted by their strict adherence to your rules, right?

  2. Nigel · 1393 days ago

    I'm a Mac user...have been since 1986. I love the platform. But I have to say that sometimes Apple does the doggone stupidest things imaginable.

    In other words, they're human.

  3. Tom K · 1393 days ago

    This article is a poorly-written article that showcases a poor understanding of iOS, OS X, and the reasoning behind App Store policies -- or at the very least fails to explain them.

    1. The Mac is an open platform, unlike iOS -- therefore the end-user can choose to install anything they want, kernel drivers or not. The catch is that the Mac App Store itself does not allow such apps. Nothing is stopping you from getting anti-virus software via other avenues and installing it.
    Drawing this kind of boundary makes things easier for everyone: for the reviewers, for the App Store policy decision-makers, and for the end-user who can make the reasonable assumption that NOTHING on the Mac App Store will cause their Mac to misbehave. Allowing apps that run components in kernel space in the App Store greatly increases the complexity of the review process and increases the chances of something crashing your Mac. This goes against everything that the App Store stands for -- namely, a safe place to get apps that you know won't make your equipment crap out.
    Unfortunately, with 3rd-party kernel extensions, your computer's stability is at the mercy of the competency of the developers of said 3rd-party extension. That is a gamble Apple is unwilling to make.

    2. Miller's software is NOT "security related" in the least as far as the end-user is concerned, or as far as Apple is concerned for that matter. Miller's software is malware, PERIOD. It is there to prove a point; it doesn't do anything useful beyond what its Trojan-horsed facade presents. What it does allow is stealing of the user's data. This isn't even in the same BALLPARK as an anti-virus solution.

    3. The Sophos software is not allowed in the App Store because it violates certain policies (kernel extensions); Miller's software is not allowed in the App Store because it ALSO violates certain policies. Miller was then also kicked out of the Developer Program for *deliberately* circumventing safety/security mechanisms. The line is clear, and he crossed it -- proof of concept or not. What he could have done is pulled the app after it had been approved -- that does enough to prove his point.
    You don't rob a bank and then tell the cops that you just wanted to see if their security was good enough, and hope to get away. The rules apply to everyone equally, no matter your excuse.

    It seems as if your motivation for writing this started with "How can I make a quip about Apple allowing malware into the App Store but banning our stuff?", followed by some kneading of the filling in order to create a platform for the quip to stand on.

    • Paul Ducklin · 1393 days ago

      Do you _really_ not see the irony?

      I love the way you write that Apple's ban on App Store kernel drivers - in all cases, and from all vendors - "makes things easier for everyone: for the reviewers, for the App Store policy decision-makers, and for the end-user who can make the reasonable assumption that NOTHING on the Mac App Store will cause their Mac to misbehave."

      The whole irony here is that end-users _can_ make the reasonable assumption that any anti-virus software sold via the App Store (and there is some - explicitly blessed, of course, by Apple) isn't really fit for purpose. But they _can't_ actually make the assumption you claim. The App Store's procedures aren't enough on their own to keep malware out.

      And this isn't a quip. The whole issue of forcing your customers to shop at the company store (in the case of iOS), and of vigorously encouraging it (in the case of OS X), does raise a whole raft of serious questions.

      Does it stifle innovation? Is it really safer? Should I just assume that the App Store's policy makers are right? Can I trust the sort of company that gives everyone the root password alpine "because we don't let you use the password anyway"?

      (I'm not taking a stance on whether Miller should have actually published his app or not. Perhaps just getting it approved would have been enough. Perhaps he thought the publicity would be more valuable to him if he did what he did. If so, he was probably right.)

      • Tom K · 1391 days ago

        There's no irony -- the flaw will be fixed, and life will continue as usual, because it is after all a *FLAW* in the system. I'm not sure that this whole episode is a big deal *AT ALL* on account of that.

        While the procedures alone won't keep 100% of the malware out, the human component to the App Store does the rest. A "reasonable assumption" is just that -- a reasonable assumption. It's not a guarantee. I'll take "reasonable assumption that I'm safe" over "malware-ridden open app ecosystem" ala Android any day, or the other extreme: an Apple prison where only Apple apps are available.

        The ban on kexts is a whole other issue, and I applaud Apple for having the balls to say "no kernel extensions on the App Store". The last thing I want to deal with is family members and friends asking me for help because their Mac crashes on boot because some lazy developer didn't bother testing his kernel extension on previous releases or whatnot.

      • Sam · 1390 days ago

        Just ignore the fanboys. Apple can't admit the flaws in its systems, and neither, therefore, can its customers.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog