Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Apple
    • Apple
    • Cybersecurity
    • Development
    • Mobile

    Apple iPhone App Security in Spotlight at Black Hat

    Written by

    Brian Prince
    Published January 28, 2010
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      A software engineer is highlighting the challenges facing mobile application stores in an upcoming presentation at Black Hat DC.

      In his presentation Feb. 3, software engineer Nicolas Seriot will focus on applications for the Apple iPhone, and how Apple’s guarantees of privacy and applications can fall short at the App Store’s virtual door.

      “In late 2009, I was involved in discussions with the Swiss private banking industry regarding the confidentiality of iPhone personal data,” Seriot told eWEEK. “Bankers wanted to know how safe their information [stores] were, which ones are exactly at risk and which ones are not. In brief, I showed that an application downloaded from the App Store to a standard iPhone could technically harvest a significant quantity of personal data … [including] the full name, the e-mail addresses, the phone number, the keyboard cache entries, the Wi-Fi connection logs and the most recent GPS location.”

      Seriot said he wrote a proof-of-concept application and published it under an open-source license to illustrate the situation. Several other applications, such as Aurora Feint and MogoRoad, have been pulled from the App Store for privacy violations.

      “The news here is that it was not of public knowledge that so many personal data were at risk, even on stock [non-jailbroken] iPhones,” Seriot said. “With 10,000 applications submitted each day (including updates), and in a ‘$1 application’ market, you must assume that there [is] more malware on the App Store, especially if the malware author bothered to use some basic programming tricks to fool App Store reviewers.”

      Apple declined to comment on security issues involving the App Store, but does make information for developers available on its Website.

      The prospect of rogue applications is not unique to Apple, however. For example, Google removed several suspicious mobile banking applications from the Android Market following warnings from financial institutions. Mikko Hypp??énen, chief research officer at F-Secure, told eWEEK in a recent interview that more rogue applications for mobile devices will likely appear.

      Seriot said Apple should stop claiming that iPhone applications cannot access data stored by other applications. This is wrong and dangerous, he said.

      “Next, Apple should consider using their application reviews to validate a security profile, which would be submitted by developers with each application,” he said. “This profile would define which resource an application can or cannot access. As a result, the risks would be mitigated, without the user being overwhelmed with security pop-ups. This would be a nice way to take advantage of the mandatory App Store review process.”

      Though applications cannot break out of their sandbox, the sandboxing rules are too loose, allowing any application downloaded from the App Store to read “a bunch of system files or several preference files from other applications,” he said.

      In a paper on the issue, Seriot recommended that users regularly clean the browser’s recent searches and keyboard cache in Settings, and delete the declared phone number in Settings as well.

      “Users can delete their phone number from iPhone Settings [and] reset the keyboard cache and Safari’s Web history, but there is little they can do to prevent their Address Book or their own e-mail address from being harvested by malware,” he told eWEEK. “Big companies may also consider Apple’s program for iPhone enterprise deployment, which lets administrators create configuration profiles enforcing restrictions such as disabling Safari or disabling the App Store.”

      Black Hat DC will be held in Arlington, Va., from Jan. 31 to Feb. 3.

      Brian Prince
      Brian Prince

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×