Jobs’ Mobs’ lax security at its App store and a design flaw means that iPhone users are at the mercy of the hackers
Swiss insecurity expert Nicolas Seriot, who is software engineer and scientific collaborator at the Swiss University of Applied Sciences (HEIG-VD) said that Apple’s security is a joke.
iPhone users were at risk of downloading malicious apps that could steal data and spy on them, he said.
Speaking at the Black Hat DC security conference today, Seriot said that Apples iPhone app review process was useless at stopping malicious apps from getting distributed to millions of users.
Once they are downloaded, a nasty iPhone apps have unfettered access to a wide range of privacy-invasive information about the user’s device, location, activities, interests, and Coldplay collections. Of course they would also know about friends and girlfriends if the iPhone user had any.
Seriot showed how an innocent-looking app could be designed to harvest personal data and send it to a remote server without the user knowing it.
Basically you stick the nasty app inside the innocent one.
Then the next thing to target is the address book which thanks to Steve Jobs‘ programming genius is readable without the user’s knowledge or consent.
While Jobs’ Mobs sandboxing technique limits access to other applications’ data but leaves exposed data in the iPhone file system, including some information contains personal information.
To prove his point he created an open-source proof-of-concept spyware dubbed “SpyPhone” that can access the 20 most recent Safari searches, YouTube history, and e-mail account parameters like username, e-mail address, host and login, as well as detailed information on the phone itself that can be used to track users even when they change devices.
His software can be used to track the user’s whereabouts and activities. It offers access to the keyboard cache, which contains all the words ever typed on the keyboard except for words entered in password fields, effectively acting as a key-logger, he said.
All the hacker needs to do is get their iPhone app approved and unless you Google that is a doddle.
While getting an app distributed through Apple’s App Store developers you need to be enrolled in the iPhone Developer Program and provide an executable file.
However Apple does not need the source code to do any vetting. The approval process is only interested in user interface inconsistencies, undocumented function calls and malware.
He thinks with the right programming tricks you can hide from common static and dynamic analysis.
Apple has already found several iPhone apps harvesting user data and pulled them from the app store.
Seriot said that consumers should be aware that iPhone security is far from perfect and that a piece of software downloaded from the App Store may still be harmful.
Seriot told Jobs’ Mob about the flaw and thought Apple might address the problem in its latest security update.
We guess that would be helpful and user friendly and therefore it was obvious that Apple would do nothing and not reply to hacks who asked them about it.