White hat hackers need protection
Security professionals and vendors need to step up and create organisations to protect well-meaning researchers from prosecution in light of discovering software vulnerabilities and flaws.
This is according to Charlie Miller, principal research consultant for Accuvant Labs, and former national security agency analyst.
He gave a demonstration at the ITWeb Security Summit today of how he developed an application that proved the existence of the iOS security flaw.
Apple consequently banned Miller from being a certified Apple developer after he revealed the flaw.
According to Miller, no foolproof solution exists to protect Apple mobile devices; however, he noted that Apple has significantly improved its security.
He explained that in order to prevent malware from being distributed onto the Apple iStore, Apple checks all code before it signs it and can remotely remove apps from iOS devices.
All apps have to come from the App Store and they cannot change or update themselves. “Apple acts as an anti-virus for the user in this case,” noted Miller.
However, Apple recently introduced dynamic code signing to make it more difficult for hackers to exploit code.
“Apple was aware that there were security implications with dynamic code signing and added more rules that only apps can allocate a region to do dynamic code signing at one time,” explained Miller.