In case you hadn’t heard, the security researcher Charlie Miller has had his iOS developer program access terminated after posting a malware proof of concept to the App Store. His response:
OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!
That’s putting it mildly. Since then he’s found out that he’s also barred from re-entering the program for a year. Could have been worse I suppose; I wouldn’t have been astounded if it had turned out to be permanent.
The thing is, I don’t think this is just rude; I think it’s wrong. I know the internet is full of people shouting out that this was clearly against the terms of the App Store and that Charlie should have expected this response, but I’m sorry; I disagree. Well, partially. I guess he should have expected it, what with this being Apple and all, but just because it was predictable doesn’t mean it’s OK, and I feel their response was both disproportionate and, ultimately, unproductive.
The proportionality of Apple’s response isn’t really something with an objective measure; either you think they were justified or you don’t. My opinion is that, while I can understand Apple wanting to take a hard line on malware in the App Store, it wouldn’t kill them to take a slightly softer approach in a case like this, where they had been informed of the vulnerability, no malicious payload was in use, and it was an important disclosure of a security vulnerability. I’d have thought deleting the app in question and having a frank exchange with Charlie about Apple’s expectations in similar situations would have sufficed.
Not only would it have sat better with me morally, but it would have been a better outcome for everyone, Apple included. Their PR department might not like it when someone points out that their platform isn’t immune to malware, but it’s an important thing for end-users to know, and I guarantee that even the marketeers like it a lot more this way than they would if someone less scrupulous had found the exploit first and started using it maliciously in the wild.