The Reader

Click for rest of article.............

Researcher warns of risks from rogue iPhone apps

Lax security screening at Apple's App Store and a design flaw are putting
iPhone users at risk of downloading malicious applications that could steal data and spy on them, a Swiss researcher warns.

Apple's iPhone app review process is inadequate to stop malicious apps
from getting distributed to millions of users, according to Nicolas
Seriot, a software engineer and scientific collaborator at the Swiss
University of Applied Sciences (HEIG-VD). Once they are downloaded,
iPhone apps have unfettered access to a wide range of privacy-invasive
information about the user's device, location, activities, interests,
and friends, he said in an interview Tuesday.

In a talk scheduled for Wednesday at the Black Hat DC
security conference, Seriot will explain how an innocent-looking app
could be designed to harvest personal data and send it to a remote
server without the user knowing it.

The rogue app could be
hidden within an innocent-looking app, such as a game. Low-hanging
fruit for rogue apps includes the mobile-phone number, address book
data, and a notes section of the address book, where some people store
bank account and other sensitive information, he said.

"It turns out that the full Address Book is readable without the user's knowledge or consent," Seriot wrote in a white paper (PDF) on the subject.

In addition, a sandboxing technique limits access to other
applications' data but leaves exposed data in the iPhone file system,
including some personal information, he said. To make his point, Seriot has created open-source proof-of-concept spyware dubbed "SpyPhone" that can access the 20 most recent
Safari
searches, YouTube history, and e-mail account parameters like username,
e-mail address, host, and login, as well as detailed information on the
phone itself that can be used to track users, even when they change
devices.

[Non-text portions of this message have been removed]

• New Members 104