Malicious iPhone apps that Apple unwittingly approves could attack even non-jailbroken iPhones, according to a developer, but security experts say this isn't earth-shattering news.
“If you understand the way the security of the iPhone works, I don't think this is a surprise,” said Charlie Miller, an analyst at Independent Security Evaluators who in July demonstrated an SMS vulnerability that could let hackers take over the phone.
Nicholas Seriot, a Swiss iPhone developer, described a proof-of-concept app (PDF) called SpyPhone, capable of digging up and altering contacts, finding past Web searches, storing GPS and Wi-Fi locations and copying everything you've ever typed on the phone except for passwords. (No, you can't download it from the App Store.)
The data Seriot describes isn't a direct threat to your passwords or e-mails, but it could be of interest to marketers, spammers, thieves, competitors and law enforcement officials, he says.
Obviously, Apple would never intentionally allow such an application into its App Store--Apple has said it rejects 10 percent of submissions for being “inappropriate,” in some cases because they try to steal personal data--except Seriot says it's possible to trick App Store reviewers. This could be accomplished by delaying spyware activation, encrypting payloads or changing things around at runtime, Seriot claims.
Dino Dai Zovi, a security researcher and author of “The Mac Hacker's Handbook,” said in an interview that the concerns Seriot raised are valid. Apple's reviewers can easily root out applications that, say, read an address book and send the contents to spammers. But it's harder to detect an application whose methods are less direct, for example by executing a script from a Web server after download. Also, App Store reviewers are only human, and they're under pressure to approve more apps than any other platform.
Both Dai Zovi and Miller noted that Seriot's report brings up an Apple philosophy that differs from open platforms like Android.
Apple has a one-size-fits-all approach to data access, so if I download a game, it can still technically access my contacts and keypad entry. On Android, users are told what data is accessed when they install an application, but the review process isn't as strict. Seriot's research essentially lists all the things a malicious app could use under Apple's approach, and notes that only Apple's censors are standing in the way.
“Largely, it's up to users to decide what experience they want,” Dai Zovi said. “Do they want the greater freedom with the greater risk of this type of spyware, or do they want the assurances--albeit imperfect assurances--provided by Apple looking over these applications?”