A software engineer is highlighting the challenges facing mobile
application stores in an upcoming presentation at Black Hat DC.
In his presentation Feb. 3, software engineer Nicolas Seriot will focus on applications
for the Apple iPhone, and how Apple's guarantees of privacy and applications
can fall short at the App Store's virtual door.
"In late 2009, I was involved in discussions with the Swiss private
banking industry regarding the confidentiality of iPhone personal data,"
Seriot told eWEEK. "Bankers wanted to know how safe their information [stores]
were, which ones are exactly at risk and which ones are not. In brief, I showed
that an application downloaded from the App Store to a standard iPhone
could technically harvest a significant quantity of personal data … [including]
the full name, the e-mail addresses, the phone number, the keyboard cache
entries, the Wi-Fi connection logs and the most recent GPS
location."
Seriot said he wrote a proof-of-concept application and published it under
an open-source license to illustrate the situation. Several other applications,
such as Aurora Feint and MogoRoad, have been pulled from the App Store for
privacy violations.
"The news here is that it was not of public knowledge that so many
personal data were at risk, even on stock [non-jailbroken] iPhones,"
Seriot said. "With 10,000 applications submitted each day (including
updates), and in a '$1 application' market, you must assume that there [is]
more malware on the App Store, especially if the malware author bothered to use
some basic programming tricks to fool App Store reviewers."
Apple declined to comment on security issues involving the App Store, but
does make information for developers
available on its Website.
The prospect of rogue applications is not unique to Apple, however. For
example, Google
removed several suspicious mobile banking applications from the Android
Market following warnings from financial institutions. Mikko Hyppönen, chief
research officer at F-Secure, told eWEEK in a recent interview that more rogue
applications for mobile devices will likely appear.
Seriot said Apple should stop claiming that iPhone applications cannot
access data stored by other applications. This is wrong and dangerous, he said.
"Next, Apple should consider using their application reviews to
validate a security profile, which would be submitted by developers with each
application," he said. "This profile would define which resource an
application can or cannot access. As a result, the risks would be mitigated,
without the user being overwhelmed with security pop-ups. This would be a nice
way to take advantage of the mandatory App Store review process."
Though applications cannot break out of their sandbox, the sandboxing rules
are too loose, allowing any application downloaded from the App Store to read "a
bunch of system files or several preference files from other applications,"
he said.
In a paper on the issue, Seriot recommended that users regularly clean the
browser's recent searches and keyboard cache in Settings, and delete the
declared phone number in Settings as well.
"Users can delete their phone number from iPhone Settings [and] reset
the keyboard cache and Safari's Web history, but there is little they can do to
prevent their Address Book or their own e-mail address from being harvested by
malware," he told eWEEK. "Big companies may also consider Apple's
program for iPhone enterprise deployment, which lets administrators create
configuration profiles enforcing restrictions such as disabling Safari or
disabling the App Store."
Black Hat DC will be held in Arlington, Va.,
from Jan. 31 to Feb. 3.
IT Security & Network Security News & Reviews News & Reviews 
