Apple iPhone App Security in Spotlight at Black Hat

At the upcoming Black Hat DC security conference, software engineer Nicolas Seriot will focus on security and privacy issues involving third-party applications developed for the Apple iPhone.

A software engineer is highlighting the challenges facing mobile application stores in an upcoming presentation at Black Hat DC.

In his presentation Feb. 3, software engineer Nicolas Seriot will focus on applications for the Apple iPhone, and how Apple's guarantees of privacy and applications can fall short at the App Store's virtual door.

"In late 2009, I was involved in discussions with the Swiss private banking industry regarding the confidentiality of iPhone personal data," Seriot told eWEEK. "Bankers wanted to know how safe their information [stores] were, which ones are exactly at risk and which ones are not. In brief, I showed that an application downloaded from the App Store to a standard iPhone could technically harvest a significant quantity of personal data ... [including] the full name, the e-mail addresses, the phone number, the keyboard cache entries, the Wi-Fi connection logs and the most recent GPS location."

Seriot said he wrote a proof-of-concept application and published it under an open-source license to illustrate the situation. Several other applications, such as Aurora Feint and MogoRoad, have been pulled from the App Store for privacy violations.

"The news here is that it was not of public knowledge that so many personal data were at risk, even on stock [non-jailbroken] iPhones," Seriot said. "With 10,000 applications submitted each day (including updates), and in a '$1 application' market, you must assume that there [is] more malware on the App Store, especially if the malware author bothered to use some basic programming tricks to fool App Store reviewers."

Apple declined to comment on security issues involving the App Store, but does make information for developers available on its Website.

The prospect of rogue applications is not unique to Apple, however. For example, Google removed several suspicious mobile banking applications from the Android Market following warnings from financial institutions. Mikko Hypp??énen, chief research officer at F-Secure, told eWEEK in a recent interview that more rogue applications for mobile devices will likely appear.

Seriot said Apple should stop claiming that iPhone applications cannot access data stored by other applications. This is wrong and dangerous, he said.

"Next, Apple should consider using their application reviews to validate a security profile, which would be submitted by developers with each application," he said. "This profile would define which resource an application can or cannot access. As a result, the risks would be mitigated, without the user being overwhelmed with security pop-ups. This would be a nice way to take advantage of the mandatory App Store review process."

Though applications cannot break out of their sandbox, the sandboxing rules are too loose, allowing any application downloaded from the App Store to read "a bunch of system files or several preference files from other applications," he said.

In a paper on the issue, Seriot recommended that users regularly clean the browser's recent searches and keyboard cache in Settings, and delete the declared phone number in Settings as well.

"Users can delete their phone number from iPhone Settings [and] reset the keyboard cache and Safari's Web history, but there is little they can do to prevent their Address Book or their own e-mail address from being harvested by malware," he told eWEEK. "Big companies may also consider Apple's program for iPhone enterprise deployment, which lets administrators create configuration profiles enforcing restrictions such as disabling Safari or disabling the App Store."

Black Hat DC will be held in Arlington, Va., from Jan. 31 to Feb. 3.