Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Apple
    • Apple
    • Cybersecurity
    • Development
    • Mobile

    Apple iPhone App Security in Spotlight at Black Hat

    By
    Brian Prince
    -
    January 28, 2010
    Share
    Facebook
    Twitter
    Linkedin

      A software engineer is highlighting the challenges facing mobile application stores in an upcoming presentation at Black Hat DC.

      In his presentation Feb. 3, software engineer Nicolas Seriot will focus on applications for the Apple iPhone, and how Apple’s guarantees of privacy and applications can fall short at the App Store’s virtual door.

      “In late 2009, I was involved in discussions with the Swiss private banking industry regarding the confidentiality of iPhone personal data,” Seriot told eWEEK. “Bankers wanted to know how safe their information [stores] were, which ones are exactly at risk and which ones are not. In brief, I showed that an application downloaded from the App Store to a standard iPhone could technically harvest a significant quantity of personal data … [including] the full name, the e-mail addresses, the phone number, the keyboard cache entries, the Wi-Fi connection logs and the most recent GPS location.”

      Seriot said he wrote a proof-of-concept application and published it under an open-source license to illustrate the situation. Several other applications, such as Aurora Feint and MogoRoad, have been pulled from the App Store for privacy violations.

      “The news here is that it was not of public knowledge that so many personal data were at risk, even on stock [non-jailbroken] iPhones,” Seriot said. “With 10,000 applications submitted each day (including updates), and in a ‘$1 application’ market, you must assume that there [is] more malware on the App Store, especially if the malware author bothered to use some basic programming tricks to fool App Store reviewers.”

      Apple declined to comment on security issues involving the App Store, but does make information for developers available on its Website.

      The prospect of rogue applications is not unique to Apple, however. For example, Google removed several suspicious mobile banking applications from the Android Market following warnings from financial institutions. Mikko Hypp??énen, chief research officer at F-Secure, told eWEEK in a recent interview that more rogue applications for mobile devices will likely appear.

      Seriot said Apple should stop claiming that iPhone applications cannot access data stored by other applications. This is wrong and dangerous, he said.

      “Next, Apple should consider using their application reviews to validate a security profile, which would be submitted by developers with each application,” he said. “This profile would define which resource an application can or cannot access. As a result, the risks would be mitigated, without the user being overwhelmed with security pop-ups. This would be a nice way to take advantage of the mandatory App Store review process.”

      Though applications cannot break out of their sandbox, the sandboxing rules are too loose, allowing any application downloaded from the App Store to read “a bunch of system files or several preference files from other applications,” he said.

      In a paper on the issue, Seriot recommended that users regularly clean the browser’s recent searches and keyboard cache in Settings, and delete the declared phone number in Settings as well.

      “Users can delete their phone number from iPhone Settings [and] reset the keyboard cache and Safari’s Web history, but there is little they can do to prevent their Address Book or their own e-mail address from being harvested by malware,” he told eWEEK. “Big companies may also consider Apple’s program for iPhone enterprise deployment, which lets administrators create configuration profiles enforcing restrictions such as disabling Safari or disabling the App Store.”

      Black Hat DC will be held in Arlington, Va., from Jan. 31 to Feb. 3.

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×