iPhone APIs provide access to personal data [Updated]

Stephen Withers
Monday, 07 December 2009 11:09

Business IT - Security

A Swiss iPhone developer believes security vulnerabilities mean data stored on the handset is accessible to malicious applications.

Software engineer and iPhone developer Nicolas Seriot last week told a conference in Geneva that malicious apps running on an iPhone can collect various pieces of personal information - even if the iPhone hasn't been jailbroken.

Jailbreaking is the term widely used for the process of modifying the iPhone software so that applications and other software can be installed directly. This process inherently makes the iPhone more vulnerable.

Seriot showed how an application that calls only published APIs (a nominal requirement for software sold through Apple's App Store) can access personal information, beginning with the device's own phone number.

Applications also have unrestricted access to the Address Book and various other files.

Seriot's SpyPhone application shows how several types of data can be accessed, including recent Safari searches, YouTube searches and history, email addresses, SIM card and IMSI numbers, the keyboard cache ("every word you ever typed in a non password field"), the locations of geotagged photos, Wi-Fi access point usage ("Our spyware knows that on 2009-11-23 I was at Café du Simplon and got home at 22:39") and more.

Seriot notes that Apple's developer agreement requires compliance with relevant laws and regulations and that applications must not collect or disseminate information about users without authorisation.

However, the App Store "is a filter with false negatives" he warns, and cleverly written spyware can be difficult to detect. Seriot said about 100 pieces of spyware are rejected by the App Store daily - which leaves us wondering how many get through the process.

He points to examples such as MogoRoad and games from Storm8 that reportedly collected users' phone numbers.

NB: Mogo's Cédric Hale-Woods told iTWire in an email "We were accused of hacking the telephone numbers of people downloading our application from the App Store, but we could prove that we never acted this way. Today, two months after the internet buzz, our answer is that mogoRoad is back on the App Store in the Travel section, with the same version as earlier."

Seriot recommends that users should be prompted to authorise any access to the Address Book by apps, that the Wi-Fi connection history should not be readable, the keyboard cache should be an OS service, and that the iPhone should include an outbound firewall.

Despite these concerns, Seriot still notes that "iPhone is still more secure than other platforms."

The slides from his presentation are available here [PDF, 2.1MB].