|
#1
11-28-2010, 10:16 AM
|
|||
|
|||
** UH-OH! iOS Has Serious Security Flaws **
Source: http://seriot.ch/blog.php?article=20100203
I had no idea things were this bad. Developers with malicious intent can mine tons of personal data WITHOUT using private frameworks or having root access. That means Apps in the App Store can do it. Context: in it's secretive review process* Apple is rejecting ~10% of submissions due to spyware or malicious intent. (*S5.4 – You may not make any public statements regarding this Agreement.) It's easy to see how out of the 10,000+ submissions they get each week that SOME bad apps are getting or will get through. It's a subjective process, the odds are against the reviewers, and so it's only a matter of time. MAJOR PRIVACY VULNERABILITIES - *as of 02/2010 - your phone # - unrestricted access to your address book - phone and email account details (eg. your mail server and username; phone IMEI) - Safari and YouTube search history - keyboard cache (yes, everything you've typed in) - where and when you took your photos (the hidden geo-tagging data) - your current location via GPS (or cellular triangulation) - your WiFi hotspot connection history - and more... As you can see, that is basically ALL of your MOST PRIVATE information. And to reiterate: it's all right there for any App in the App Store to see. And we haven't even touched on private frameworks or dangerous things we could do with root access. No. This is all above board, according to the SDK, from a technical standpoint. It's "against the rules" to violate laws with your App, so Apple has the power to unilaterally reject Apps for security violations. But someone has to catch the violation first, hence with the sheer number of apps, the odds are against Apple. Example cases of violators who were caught too late to prevent damage Aurora Feint - pulled in July 2008 for transmitting contact emails in clear text. Affected 20 million users. Allowed back in after revising their privacy policies. Today how many of us have Aurora's OpenFeint software on our devices? Storm8 Software (iMobsters, etc.) - federal lawsuit filed in November 2009 for collecting the phone numbers of it's customers. Affects every Storm8 game; 20 million downloads. Games were not pulled. MogoRoad - pulled in September 2009 for transmitting phone numbers in clear text. Customers got unsolicited commercial phone calls. Also allowed back in after revising their privacy policy. There are 10s of millions of iPhones in use... the potential for the largest scale and most disturbing personal security attacks yet in computer history is right here, in our pockets. I want to repeat one particularly frightening and futuristic attack scenario: using data collecting from your seeminglessly harmless Breakout clone App, you could identify wealthier customers (by their neighborhood, by the products they're searching for, etc.), monitor their current locations via GPS, and then when they go out of town, go to their house and clean them out. Talk about 21st century thievery. You've used Apple technology to identify ideal targets and perfect windows of opportunity. IMPORTANT NOTES TO TAKE AWAY FROM THIS 1. Go into Settings on your iPhone and remove your phone number RIGHT NOW. Change it to 555-1234 or some other nonsense. Just don't have your real number there. 2. Clear your caches periodically. That means Safari and any other program that maintains a history of your actions. 3. Since only Apple has the ability to protect you from a dangerous app in sheep's clothing, you have to be extra diligent about what you install and who/where you get it from. We just don't know what the author really has in mind, and if something has slipped past review. Last edited by sticktron; 11-29-2010 at 06:54 AM.. 
|
|
#3
11-28-2010, 11:05 AM
|
|||
|
|||
"MAJOR PRIVACY VULNERABILITIES - *as of 02/2010"
As of 02/2010 - this is old news and probably inaccurate. Your phone number isn't useful without your name, and even then they can't do much with it. The only thing to be concerned about is if they can get your email username, and that's not exactly a secret.
|
|
#4
11-28-2010, 11:27 AM
|
|||
|
|||
|
Quote:
|
|
#6
11-28-2010, 12:41 PM
|
|||
|
|||
|
The Aurora Feint one sounds like a genuine mistake or misjudgement. It says clear text, which suggests they're supposed to encrypt such things, but merely didn't think to... I'm guessing.
|
|
#7
11-28-2010, 02:29 PM
|
|||
|
|||
|
It probably was but the point was that a simple slip up affects millions of users.
Also, this stuff is still much the same today. Its been that way since iOS 1.0. And if you don't consider having your location tracked, your unlisted cell number being sold to telemarketers, your passwords being stolen, your address book being tampered with, or having a man-in-the-middle intercepting and recording all your web traffic pretty damn serious... I don't know what to say. What else IS there to safeguard?
|
|
#8
11-28-2010, 03:01 PM
|
|||
|
|||
|
Quote:
You retrieve an alphabetized list, eg. daughter donkey midget sex teen, and it doesn't take much imagination to figure out that person's secret perversions.
|
|
#9
11-28-2010, 03:04 PM
|
|||
|
|||
|
Quote:
|
|
#10
11-28-2010, 04:30 PM
|
|||
|
|||
|
Doesn't every connected electronic device with this info on it have the same problem? I personally don't care if someone knows if I look at donkey porn who would be the real perv if they really do care. Phone# I still have the deny call button email well I think every scumbag already has that info. The real concerns are not on the list witch would be billing numbers and iTunes account passwords. This feels less risky than using my computer and I look at way more scary shit on that.
|
|
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT -5. The time now is 03:04 PM.
