UH-OH! iOS Has Serious Security Flaws

Discussion in 'Lounge' started by sticktron, Nov 28, 2010.

  1. sticktron

    sticktron Well-Known Member

    #1 sticktron, Nov 28, 2010
    Last edited: Nov 29, 2010
    Source: http://seriot.ch/blog.php?article=20100203


    I had no idea things were this bad. Developers with malicious intent can mine tons of personal data WITHOUT using private frameworks or having root access. That means Apps in the App Store can do it.

    Context: in it's secretive review process* Apple is rejecting ~10% of submissions due to spyware or malicious intent. (*S5.4 – You may not make any public statements regarding this Agreement.) It's easy to see how out of the 10,000+ submissions they get each week that SOME bad apps are getting or will get through. It's a subjective process, the odds are against the reviewers, and so it's only a matter of time.


    MAJOR PRIVACY VULNERABILITIES - *as of 02/2010
    - your phone #
    - unrestricted access to your address book
    - phone and email account details (eg. your mail server and username; phone IMEI)
    - Safari and YouTube search history
    - keyboard cache (yes, everything you've typed in)
    - where and when you took your photos (the hidden geo-tagging data)
    - your current location via GPS (or cellular triangulation)
    - your WiFi hotspot connection history
    - and more...


    As you can see, that is basically ALL of your MOST PRIVATE information. And to reiterate: it's all right there for any App in the App Store to see. And we haven't even touched on private frameworks or dangerous things we could do with root access. No. This is all above board, according to the SDK, from a technical standpoint. It's "against the rules" to violate laws with your App, so Apple has the power to unilaterally reject Apps for security violations. But someone has to catch the violation first, hence with the sheer number of apps, the odds are against Apple.


    Example cases of violators who were caught too late to prevent damage

    Aurora Feint - pulled in July 2008 for transmitting contact emails in clear text. Affected 20 million users. Allowed back in after revising their privacy policies. Today how many of us have Aurora's OpenFeint software on our devices?

    Storm8 Software (iMobsters, etc.) - federal lawsuit filed in November 2009 for collecting the phone numbers of it's customers. Affects every Storm8 game; 20 million downloads. Games were not pulled.

    MogoRoad - pulled in September 2009 for transmitting phone numbers in clear text. Customers got unsolicited commercial phone calls. Also allowed back in after revising their privacy policy.


    There are 10s of millions of iPhones in use... the potential for the largest scale and most disturbing personal security attacks yet in computer history is right here, in our pockets.

    I want to repeat one particularly frightening and futuristic attack scenario: using data collecting from your seeminglessly harmless Breakout clone App, you could identify wealthier customers (by their neighborhood, by the products they're searching for, etc.), monitor their current locations via GPS, and then when they go out of town, go to their house and clean them out. Talk about 21st century thievery. You've used Apple technology to identify ideal targets and perfect windows of opportunity.


    IMPORTANT NOTES TO TAKE AWAY FROM THIS
    1. Go into Settings on your iPhone and remove your phone number RIGHT NOW. Change it to 555-1234 or some other nonsense. Just don't have your real number there.
    2. Clear your caches periodically. That means Safari and any other program that maintains a history of your actions.
    3. Since only Apple has the ability to protect you from a dangerous app in sheep's clothing, you have to be extra diligent about what you install and who/where you get it from. We just don't know what the author really has in mind, and if something has slipped past review.
     
  2. acrotran

    acrotran Well-Known Member

    Jul 31, 2010
    741
    0
    0
    "keyboard cache (yes, everything you've typed in)" - that doesn't make sense. How big could the keyboard cache be?
     
  3. acrotran

    acrotran Well-Known Member

    Jul 31, 2010
    741
    0
    0
    "MAJOR PRIVACY VULNERABILITIES - *as of 02/2010"

    As of 02/2010 - this is old news and probably inaccurate.

    Your phone number isn't useful without your name, and even then they can't do much with it.

    The only thing to be concerned about is if they can get your email username, and that's not exactly a secret.
     
  4. fallenashes

    fallenashes Well-Known Member

    Jan 4, 2010
    306
    0
    0
    yes
    As big as your dirty habits
     
  5. Cilo

    Cilo Well-Known Member

    Feb 2, 2010
    2,277
    0
    36
    Los Angeles
    There goes my mobile porn . . . :mad::mad::mad:
     
  6. MidianGTX

    MidianGTX Well-Known Member

    Jun 16, 2009
    3,738
    2
    0
    London, UK
    The Aurora Feint one sounds like a genuine mistake or misjudgement. It says clear text, which suggests they're supposed to encrypt such things, but merely didn't think to... I'm guessing.
     
  7. sticktron

    sticktron Well-Known Member

    It probably was but the point was that a simple slip up affects millions of users.

    Also, this stuff is still much the same today. Its been that way since iOS 1.0.

    And if you don't consider having your location tracked, your unlisted cell number being sold to telemarketers, your passwords being stolen, your address book being tampered with, or having a man-in-the-middle intercepting and recording all your web traffic pretty damn serious... I don't know what to say. What else IS there to safeguard?
     
  8. sticktron

    sticktron Well-Known Member

    There arent that many unique words, not enough to be a concern from a storage standpoint.

    You retrieve an alphabetized list, eg. daughter donkey midget sex teen, and it doesn't take much imagination to figure out that person's secret perversions.
     
  9. sticktron

    sticktron Well-Known Member

    You need to reread what I wrote. Not only is your name and number available, so is your address and gps location, your family and friends' names numbers and addresses too.
     
  10. eyemh8

    eyemh8 Well-Known Member

    Oct 28, 2008
    447
    0
    0
    To stay stupid
    Estes Park co.
    Doesn't every connected electronic device with this info on it have the same problem? I personally don't care if someone knows if I look at donkey porn who would be the real perv if they really do care. Phone# I still have the deny call button email well I think every scumbag already has that info. The real concerns are not on the list witch would be billing numbers and iTunes account passwords. This feels less risky than using my computer and I look at way more scary shit on that.
     
  11. sticktron

    sticktron Well-Known Member

    Every device has the potential to be this unsecure. But billions of dollars are spent each year making them not.

    This is stuff an App is capable of. Not a hacker. No special access required. I could gather this info secretly from inside an App I release on the App Store. If it's free, maybe hundreds of thousands of people will be infected. I could track them all on my monitor, like little dots on a map. See where they shop, where their kids go to school, where the families live, etc. Does that not scare you? What if someone targeted your mom because they can see that she goes grocery shopping every thursday at 9:00pm?
     
  12. acrotran

    acrotran Well-Known Member

    Jul 31, 2010
    741
    0
    0
    How big is the keyboard cache?
     
  13. acrotran

    acrotran Well-Known Member

    Jul 31, 2010
    741
    0
    0
    #13 acrotran, Nov 28, 2010
    Last edited: Nov 29, 2010
    Wow! Now you're just making stuff up. You're trying to pass yourself off as a security expert, but this thread is a joke.

    Every company I do business with has my name, address, phone number, and email. Big deal.
     
  14. eyemh8

    eyemh8 Well-Known Member

    Oct 28, 2008
    447
    0
    0
    To stay stupid
    Estes Park co.
    Dude unplug and get your tin foil hat out. Adding hidden malicious software is hacking as far as I'm concerned. And if someone wanted to attack my mom at the store and they made an app that they hoped I downloaded and were smart enough to figure out were my mom shops with it and did it I don't think I would be mad I would be more impressed that I was that important.
     
  15. Foozelz

    Foozelz Well-Known Member

    Wait, are you saying that dolphins are fishes and not mammals?
     
  16. This is largely just FUD. On iOS, Most of that isn't even possible without the user explicitly allowing your app to do that, and tracking isn't possible unless the app is backgrounded. There are already safeguards in place in iOS that can prevent a good portion of the most grievous invasions of privacy, or at least limit it to user agreement. For the rest -- well, that's one of the primary reasons for Apple's review process, and you can bet that if any extremely serious threat somehow manages to bypass both the review process and user agreement and makes it on to the App Store, it will be discovered pretty quickly, yanked, and Apple will tighten up the loopholes that allowed it to happen.

    No system is 100% secure, but the built-in safeguards combined with Apple's review process go a long way to preventing bad things from happening.
     
  17. sticktron

    sticktron Well-Known Member

    I can't believe the attitude in here. For one thing I'm merely the messenger. The paper and talk ARE by an expert in this area. Try his test app to see what info of yours is gathered. You don't get prompted for anything.

    If there is interest in some form of protection I'll make a simple tweak for jailbreakers that triggers prompts when an app tries to access your address book, IMEI, etc. the same way the temporary PDF fix was made. But if noone cares, well, good luck.
     
  18. 270Kp

    270Kp Well-Known Member

    Oct 27, 2009
    1,475
    0
    0
    Beta-Tester
    USA
    I care.
     
  19. YouSuckDude

    YouSuckDude Well-Known Member

    Nov 18, 2010
    392
    0
    0
    Above My Postcount
    There's already a jailbroken app on cydia for this called privaCy :)
     
  20. sticktron

    sticktron Well-Known Member

    PrivaCy is only for opting out of usage traking for a few stat packages.
     

Share This Page