Even stock iPhones can hand over personal information

by Steve Ragan - Dec 4 2009, 17:00

There has been a lot of talk about the Malware that can take information from jailbroken iPhones. However, in a recent talk on iPhone privacy given to the iPhone developer user group in Geneva, Nicolas Seriot explained that it is entirely possible for someone to access the same data on stock iPhones.

In his talk, Seriot discussed the recent wave of attacks on jailbroken iPhones. He explained how malicious programs take advantage of flaws in the device to harvest information. These flaws, as many are aware, center on the use of the default password alpine, and the fact that it is never changed when most people jailbreak their devices.

In addition to the four attacks on the jailbroken devices, he also covered the Storm 8 story, where the popular game developer was sued over the fact several of their applications were snooping on personal information such as wireless phone numbers. Seriot is an iPhone developer and trainer, so he knows the ins and outs of the iPhone and the risks associated with it. The result of all of these privacy issues, Seriot noted in one of his slides, is that Apple gets bad press, “even then this is totally unjustified.”

His talk moved forward with a hypothetical, wherein you are asked to imagine a rogue breakout in the AppStore. The hypothetical addressed an attack where an attacker could not use the API used by the AppStore or information voluntarily handed over by users through Facebook or Twitter. Yet, even with these restrictions, Seriot explained ways where a rogue application could still access the sensitive information on the device.

Information, such as the phone number of the device, was revealed as the easiest to access, as this number is entered into iTunes when the phone is first connected. The good news is that this can be changed he noted. Moreover, the API used for the Address Book, is another way for a rogue application to harvest information from a stock iPhone.

“Another way to collect personal data is to use the AddressBook API. There is no “Me” record, but any application can read and edit the whole AddressBook without the user noticing it. Things can go bad if a rogue application does alter the email addresses, because Mail.app displays the contact’s fullname only,” Seriot explained.

To demonstrate the amount of information a rogue application could harvest on a stock iPhone, Seriot developed a program aptly named SpyPhone. The SpyPhone application will pull an amazing amount of data, including Safari searches, YouTube searches, email information, the keyboard cache (which contains every word you have ever typed in a non password field), the geographic information from photos taken, as well as the information from the location of Wi-Fi connections.

If you want to checkout SpyPhone, the source is here. In his slides, Seriot says you can email yourself a report and inspect the data collected from your computer.

As part of his recommendations, Seriot said that some of the risks could be mitigated by prompting the user to allow read-write access to the AddressBook, and the Wi-Fi history shouldn’t be readable by a mobile user. In addition, he suggested that the keyboard cache should be an OS service and perhaps the iPhone should feature an outgoing firewall.

“Based on security principals, considering these recommendations would be a huge improvement on [the] current situation,” he commented in his slide notes.

If you want to view the slides from the talk, those are here.

Around the Web