Apple punishes security expert

Apple’s software policy of producing sizzle and not steak has let through another security flaw. But it seems that Jobs’ Mob has decided that the person who needs to pay is the bloke that found the problem.

Insecurity expert Charlie Miller, a researcher with Accuvant Labs, found the flaw in Apple iPhones and iPads which allows hackers to build apps that secretly install programs to steal data, send text messages or destroy information.

To prove his point he built a prototype malicious program. Apple’s App Store failed to identify the malicious program, which made it past the security vetting process.

So far there is no evidence that hackers have exploited the vulnerability in Apple’s iOS software, but Miller said that his test proved that there could be real malware in the App Store which no one knows about.

His app was a stock market monitoring tool, InstaStock, that connected to his server once downloaded, and to then download whatever program he wants.

Miller has contacted Jobs’ Mob about the vulnerability and they told him that they were fixing it. However what Apple really did was to stop Miller rom participating in Apple’s developer programs.

Miller twittered saying “OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!”

Clearly it is easier to shoot the messenger rather than deal with your own incompetence. The move has been backed by the press that  sniffed  that Miller had broken the terms and conditions of being an Apple developer. Apparently it is in the terms and conditions that you must not use the App store to show up Apple’s inability to take security seriously.

Miller is scheduled to present his research at the SyScan ’11 security conference in Taiwan next week.