Apple + Security & Privacy

What risk is there from “rogue” apps getting installed on iPhones? Swiss researcher Nicolas Seriot thinks it’s very serious, and he’s made a proof-of-concept app to show people. In a talk at this year’s Black Hat security conference, Seriot is discussing how apps on the iPhone can harvest data from a device. He says it’s easy for an application to retrieve the following data on an iPhone:

• Phone number
• Address book info
• File system information
• The 20 most recent Safari searches
• YouTube history
• E-mail account parameters (though not the password)
• The iPhone’s UUID
• The iPhone’s ICCID (it’s SIM card serial number)
• The iPhone’s IMSI (International Mobile Subscriber Identity)
• The keyboard cache (which contains words typed, used for auto-complete)
• Information about photos taken with the phone, such as date, time, and location

Okay, first a reality check: any application on an computer (Mac, Windows or Linux) has access to similar information (not phone numbers, of course, if the device is not a phone). The real problem here is not the access to information – because access to, say, your Address Book or iCal events, on Mac OS X, is a feature, not a bug – but whether than information can surreptitiously be obtained from your device and communicated to a third-party. We’re not saying this isn’t an issue; it’s just part of what happens when you install applications. You can never know exactly what those applications are doing.

Seriot has some valid points, but then he gets lost in speculation that is, well, a bit wild. For example, say someone creates an app to follow Hollywood gossip on the iPhone.

While giving clues about spotting stars, it surreptitiously goes through your address book and edits the email addresses.

Knowing that film industry people are likely to download this application, the emails they send are diverted to a clandestine server, providing potentially compromising private information to a prospective blackmailer.

Blackmailer? Seriously? Anyone who wants to blackmail people will have to do better than that. Seriot does not say that e-mails can be trapped by his “spyware”.

Or how about this one?

An application for Rolls Royce owners or art collectors could report the name, the area, the phone and the geotagged photos of wealthy people. This is enough informations to rob them, especially if it can be determined that the targeted individuals are currently away from home.

Sure, “Rolls Royce owners” are going to all run out and grab an app for their iPhones. To do what? Rolls Royce-spotting?

Or what about VIPs?

It is easy to imagine how an attack could be targeted against a particular individual. For example, French Prime Minister François Fillon is very proud of his iPhone and takes it everywhere. Fillon is a native of the French region called la Sarthe, where he also has his political roots. There is a significant likelihood that he would download an iPhone application designed to provide local breaking political news. It does not take much imagination to see the potential for damage in such a scenario.

I certainly hope that government officials follow a security policy and do not install third-party apps on their devices. Or if they do, they don’t use those devices for sensitive communication.

In short, there are real risks of data harvesting on any mobile device, and the iPhone in particular. However, these same risks exist on computers. Users install plenty of applications that could be stealing data and sending it to a remote server. Since most applications connect to the Internet, if only to check for updates, users can’t know which applications may be doing this and what they may be sending. Intego VirusBarrier X6 includes spyware protection for Mac OS X, offering granular settings per application and port, so users can find out which applications “phone home”. But this type of application is not available for the iPhone, because Apple does not allow third-party apps to run in the background. Perhaps that’s what’s needed to protect iPhone users from these “rogue” apps?