Lawsuit Claims Top iPhone Games Stole User Data

← Back to Stories (view on slashdot.org)

Lawsuit Claims Top iPhone Games Stole User Data

Posted by Soulskill on Sunday November 8, 2009 @06:20AM from the shake-up-and-down-to-send-credit-card-details dept.

pdclarry writes "Storm8, a maker of some top iPhone games, allegedly stole users' mobile phone numbers, according to a lawsuit filed on November 4. The suit claims that best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. There have been other reports of applications copying personally identifiable customer information in the past. The complaint seeks class-action status."

149 comments

Min score:

Reason:

Sort:

Big Surprise... by Super+Dave+Osbourne · 2009-11-08 06:24 · Score: 3, Insightful

Is it a real surprise that there are iPhone apps out there that snoop, and bypass safeguards. When will encrypted data at the 2048 and higher bit level make it into the tech we take for granted on a daily basis. If you want safeguards, folks need to start using the stuff out on the market that is free to give them some level of protection against theft. Don't lock the door well, expect thieves, don't weatherize in well, expect to get cold. Don't encrypt your data, expect to lose it to theft.
1. Re:Big Surprise... by Quantos · 2009-11-08 06:27 · Score: 5, Insightful
  
  We have to be on guard for this behavior with computers, why are people surprised that it happens with mobile devices? That brings one question to mind though. Do they not verify the applications that are put up on their store?
  
  --
  Some people are only alive because it's against the law for me to hunt them down and kill them.
2. Re:Big Surprise... by harlows_monkeys · 2009-11-08 06:35 · Score: 1, Interesting
  
  You need to think about that some more. Unless the user is required to enter their password every time they access the data (which would get very annoying real fast), there will have to be some kind of key caching, with safeguards to prevent the wrong applications from using it. What's to stop a bad application from bypassing those safeguards?
3. Re:Big Surprise... by Anonymous Coward · 2009-11-08 06:50 · Score: 1, Funny
  
  Oh the fools! If only they'd built it with 6001 hulls! When will they learn?
4. Re:Big Surprise... by E+IS+mC(Square) · 2009-11-08 06:54 · Score: 5, Insightful
  
  >>What's to stop a bad application from bypassing those safeguards?
  
  Whatever happened to Apple's policy of babysitting their users by allowing only certain apps? Wouldn't this application exactly the kind of crap users should be protected against?
  
  It's been claimed on /. by appple apologists that that's the way apple protects its users. But apple is actually doing is protecting its pockets by banning applications which takes business away from them or AT&T - while such apps are in the wild - blessed by Apple.
5. Re:Big Surprise... by E+IS+mC(Square) · 2009-11-08 07:06 · Score: 0, Flamebait
  
  flamebait? Oh man, did I just commit a cardinal sin of blaming apple?
6. Re:Big Surprise... by John+Hasler · 2009-11-08 07:12 · Score: 1
  
  > When will encrypted data at the 2048 and higher bit level make it into the
  > tech we take for granted on a daily basis.
  When a significant number of customers won't buy "tech" without it. The fact is most people don't care, including most of those who complain about it.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
7. Re:Big Surprise... by CharlyFoxtrot · 2009-11-08 07:33 · Score: 4, Funny
  
  If you want infallible maybe they should get the pope to do app reviews.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
8. Re:Big Surprise... by SleepyHappyDoc · 2009-11-08 07:41 · Score: 5, Insightful
  
  Encryption wouldn't help here. The API allows access to all kinds of data on the iPhone, which some apps do legitimately require in order to function (for example, a Google Voice-type app would indeed need the user's phone number). Even if the data was encrypted, the iPhone would happily decrypt it and pass it to the app when given the proper API call. The issue here is enforcement. Developers caught doing this kind of thing should be banned from the App Store, and put on some kind of blacklist at Apple so Apple doesn't do further business with them.
  
  --
  Stasis is death. Embrace change.
9. Re:Big Surprise... by Anonymous Coward · 2009-11-08 07:46 · Score: 0
  
  Oh yes. But apple fanbois hammering MS for everything is apparently okay. Pope does not figure in those discussion!?
  
  Apple apologist finally out to defend, eh?
10. Re:Big Surprise... by R3d+M3rcury · 2009-11-08 07:50 · Score: 3, Insightful
  
  So Apple will try but they may make mistakes. Fair enough.
  But if we accept the fact that mistakes will be made, how is this better than either a "Wild West" approach where anyone can publish applications with no review whatsoever or, conversely, a competitive store approach where some stores will be better than others about evaluating what an app does?
11. Re:Big Surprise... by jo_ham · 2009-11-08 08:01 · Score: 2, Insightful
  
  No, you just made a claim about "appple apologists" [sic] that you completely failed to back up. You then threw out your own baseless accusation, again with no citation.
  Textbook flamebait.
  You can replace "Apple" with "MS" or "Sun" or "Verizon" or "Amazon" or "Google" for exactly the same mod result.
12. Re:Big Surprise... by CharlyFoxtrot · 2009-11-08 08:09 · Score: 1
  
  The rationale is that Apple products are strongly associated with the brand and everything that goes wrong will reflect badly on Apple even if the apps are not associated with Apple in any way. Opening up the iPhone to other stores in that line of thinking would increase the risk of damaging the brand by vastly increasing the opportunity for malicious and inappropriate apps. Just read this thread and see how many people are ready to blame Apple because some software publishers are shady assholes.
  Personally of course I don't agree with this corporate type logic which is why I jailbreak and unlock my iPhone.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
13. Re:Big Surprise... by Anonymous Coward · 2009-11-08 08:14 · Score: 0
  
  >> You can replace "Apple" with "MS" or "Sun" or "Verizon" or "Amazon" or "Google" for exactly the same mod result.
  
  On slashdot? In your fucking dream.
14. Re:Big Surprise... by jcr · 2009-11-08 08:30 · Score: 1
  
  Wouldn't this application exactly the kind of crap users should be protected against?
  Of course it is, and you can bet that Apple's investigating it right now. If it turns out that this vendor is violating the terms of the App store, those apps will be yanked.
  -jcr
  
  --
  The only title of honor that a tyrant can grant is "Enemy of the State."
15. Re:Big Surprise... by harlows_monkeys · 2009-11-08 08:34 · Score: 1
  
  You need to think about that some more. Unless the user is required to enter their password every time they access the data (which would get very annoying real fast), there will have to be some kind of key caching, with safeguards to prevent the wrong applications from using it. What's to stop a bad application from bypassing those safeguards?
  What you are describing are the kind of measures you take against outside attackers. The problem here is that the attacker is an invited guest. Locked doors don't do much against people you've invited in.
16. Re:Big Surprise... by Anonymous Coward · 2009-11-08 08:39 · Score: 0
  
  What would be any apple discussion be without the ever defending jcr?
  
  If Apple is reviewing this now (after the damage is done), what the fuck is their 'application approval' thing is for when applications are 'submitted' for 'review' before they are approved?? Oh, I see. To weed out competitors? But then, you wont agree to that either.
  
  No matter which way, apple is always right. Right, you fucking fanboi?
17. Re:Big Surprise... by sjames · 2009-11-08 09:15 · Score: 2, Insightful
  
  Apple would receive no blame at all here except that they claim to protect users from this sort of thing. In order to provide this "protection", they make developers of potentially useful apps jump through a series of flaming hoops, yet managed to defeat the entire point by allowing the Storm8 games right in. That is, they endorsed the app by screening it for harmful behavior, pronouncing it good, and then offering it in their app store.
  It should be no surprise that if Apple will claim to be providing this protection and then fails to do so, they will catch some heat over it.
  If they had left things open and the same thing happened, instead the comments would be a mixture of "that's what happens when you install random binaries you download from the net" and calls for Storm8 to be treated just like a script kiddie would be if caught. Apple would be left out of it because they neither produced nor endorsed the apps.
  Storm8 proclaims that the data collection was a bug rather than deliberate. If so, that just makes it worse for Apple's claims that they must screen all apps for their user's own good.
18. Re:Big Surprise... by sjames · 2009-11-08 09:30 · Score: 2, Insightful
  
  They've had since at least August 27th to correct their oversight (the date when Storm8's behavior was first documented publicly). Considering that it could be verified by just installing one of the listed games and running tcpdump while registering it, I'd have to say they haven't been at all interested in investigating.
  Just to add to it, Storm8 doesn't even deny that the collection happened! They only deny that it is intentional.
19. Re:Big Surprise... by Anonymous Coward · 2009-11-08 10:06 · Score: 0
  
  If you want infallible maybe they should get the pope to do app reviews.
  thats a total BS response. NO! Apple wants and has total control of apps. I would think that this kind of breach of trust would have been covered in the Apps store terms of use. If it is not then that's the last app I buy until it is.
20. Re:Big Surprise... by Runaway1956 · 2009-11-08 10:08 · Score: 1
  
  How will encryption help, when the application that you've been duped into installing is DOING THE SNOOPING?!?!
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
21. Re:Big Surprise... by Anonymous Coward · 2009-11-08 10:13 · Score: 1, Insightful
  
  Data encryption is just not practical within US boarders, our government is just too paranoid and nosy. Law enforcement will demand backdoors be required (such as CALEA, the Communications Assistance for Law Enforcement Act), and if there are backdoors built in for them to use then hackers and unscrupulous businesses will use them too.
  Also no device using encryption can ever be offered for export, ITAR (International Traffic in Arms Regulations) forbids it, attempting to leave the USA with an iphone with encrypted data on it is exactly the same as attempting to smuggle out a nuclear weapon (in the eyes of the law anyway).
  The only way to stop these scumbag businesses from snooping is to have actual consequences for getting caught. I'm not talking about a slap on the wrist and a little fine either, I'm talking about long prison sentences for company executives. Only once there are actual consequences with this activity stop.
  Remember, if YOU were caught doing this then you would be sitting in lockup (with no bail) right now awaiting trial on multiple criminal felonies.
22. Re:Big Surprise... by Antique+Geekmeister · 2009-11-08 10:55 · Score: 2, Insightful
  
  When will a pony show up and dance the lambada? This has _nothing_ to do with the length of encryption keys, and everything to do with fine-grained data access. Unfortunately, a lot of apps were developed first, and security only thought of later. (Yes, I'm talking about CVS and Subversion and Jabber.) The results are predictable: personal data is not encrypted, and is shared freely to the local filesystem because the developers are not given the time, and the apps are not given the resources, to protect the data more thoroughly.
  This data _should not have been accessible_ to unauthorized applications, true. But encryption in limited hardware like an Iphone is painful to provide at all, due to the speed and space limitations. 2048 is hardly necessary: most such data lives in plain-text, because the authors believe that its your operating system's problem, not yours. (Go look at Subversion's storage of plain-text passwords to see where this leads.)
23. Re:Big Surprise... by Anonymous Coward · 2009-11-08 12:00 · Score: 0
  
  If you're just saying random uninformed positive things about Apple in the hope it improves Apple's image and the value of your stock, note that most people on /. laugh at the nonsense you post. Everything you say counts against Apple by reinforcing the stereotype that its adherents are mindless fashionistas with no real enterprise or engineering ability or clout.
  Moreover, the fact that Apple offered a job to someone with your critical thinking and analysis skills says more than enough about Apple. If I were you, I'd post all remaining fanboyism as AC.
  tl;dr Your wearing the cult uniform reflects badly on the cult.
24. Re:Big Surprise... by lena_10326 · 2009-11-08 12:26 · Score: 1, Flamebait
  
  Textbook flamebait
  No offense but.. I think guys like you crying flamebait are big fat pussies. Seriously.
  
  --
  Camping on quad since 1996.
25. Re:Big Surprise... by jo_ham · 2009-11-08 12:42 · Score: 1
  
  Hey, I'm just explaining why he got the mod. I'm not judging one way or the other, nor am I the one who modded it that way.
  In my experience, "flamebait" typically means "I do not agree, thus I mod you flamebait", but in some cases, it actually does mean what it says, hence: textbook.
26. Re:Big Surprise... by indiechild · 2009-11-08 13:49 · Score: 0, Flamebait
  
  Mental illness much?
27. Re:Big Surprise... by indiechild · 2009-11-08 13:51 · Score: 1
  
  It's obvious who the mindless, irrational zealot is here, and it certainly isn't jcr...
28. Re:Big Surprise... by Anonymous Coward · 2009-11-08 14:34 · Score: 0
  
  indiechild - alter ego of jcr.
29. Re:Big Surprise... by DavidTC · 2009-11-08 14:50 · Score: 2, Insightful
  
  Exactly.
  Apple is playing both sides here. Either their app store is safe, or it isn't.
  If it isn't safe, 90% of their excuse for not allowing people to download apps from anyone is nonsense.
  
  --
  If corporations are people, aren't stockholders guilty of slavery?
30. Re:Big Surprise... by Thinboy00 · 2009-11-08 18:17 · Score: 1
  
  Exactly.
  Apple is playing both sides here. Either their app store is safe, or it isn't.
  If it isn't safe, 90% of their excuse for not allowing people to download apps from anyone is nonsense.
  Other 10% (in 2% increments):
  1) Money
  2) MONEY
  3) Mo-ney
  4) ???
  5) Profit!
  
  --
  $ make available
31. Re:Big Surprise... by Anonymous Coward · 2009-11-08 22:37 · Score: 0
  
  Clueless post of the month
32. Re:Big Surprise... by Anonymous Coward · 2009-11-09 04:22 · Score: 0
  
  Also no device using encryption can ever be offered for export, ITAR (International Traffic in Arms Regulations) forbids it, attempting to leave the USA with an iphone with encrypted data on it is exactly the same as attempting to smuggle out a nuclear weapon (in the eyes of the law anyway)
  Wassenaar Arrangement? Your argument is stupid, nearly every modern desktop operating system produces encrypted files and/or keys.
33. Re:Big Surprise... by Anonymous Coward · 2009-11-09 06:00 · Score: 0
  
  For other /. readers: indiechild is a jcr sockpuppet, one-time Apple employee and unflinching defender of Apple, making the parent post especially saddening. It's not, unfortunately, a troll, but a zealot in the style of twitter. See also this post.
34. Re:Big Surprise... by tmkn · 2009-11-09 21:13 · Score: 1
  
  Don't lock the door well, expect thieves, don't weatherize in well, expect to get cold. Don't encrypt your data, expect to lose it to theft.
  Sorry, but I prefer my door locked. What a bad advice!
  
  --
  The Sticky Issue - My TF2 Blog
35. Re:Big Surprise... by aftk2 · 2009-11-10 08:19 · Score: 1
  
  Please direct this post to the original poster, who's whiny bitchiness about his own mod is the reason this thread exists.
  
  --
  concrete5: a cms made for marketing, but strong enough for geeks.
36. Re:Big Surprise... by E+IS+mC(Square) · 2009-11-12 14:28 · Score: 1
  
  >> who's whiny bitchiness about his own mod is the reason this thread exists
  
  Oh yes. I must be the first one and a trend-setter on /. for that!
App Testing by Anonymous Coward · 2009-11-08 06:24 · Score: 0

Then what kind of app DOES Apple reject?
1. Re:App Testing by Anonymous Coward · 2009-11-08 06:28 · Score: 0
  
  The kind that might hurt their ability to extract money from you.
2. Re:App Testing by Jackie_Chan_Fan · 2009-11-08 07:18 · Score: 5, Informative
  
  skype, opera, flash, and c64 emulators
3. Re:App Testing by GameboyRMH · 2009-11-08 11:16 · Score: 1
  
  ...and anything with naughty words in it, like dictionaries and lyrics apps.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
4. Re:App Testing by socsoc · 2009-11-08 13:58 · Score: 1
  
  Or other naughty words, like iPhone
5. Re:App Testing by MightyMartian · 2009-11-08 18:42 · Score: 1
  
  skype, opera, flash, and c64 emulators
  In other words, useful apps. I'm damned glad, and I hope this severely bites those pathetic control freaks in the ass. Apple needs its reputation dragged through the mud like the two-bit whore it is.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
6. Re:App Testing by Anonymous Coward · 2009-11-08 23:09 · Score: 0
  
  Skype is available for free on the App Store, but voice calls work only on WiFi.
  You're right about the others, though.
7. Re:App Testing by Jackie_Chan_Fan · 2009-11-21 00:39 · Score: 1
  
  skype was initially banned from the app store. Skype had to fight to get it in in there again.
Clearly an inside job. by Reeses · 2009-11-08 06:26 · Score: 4, Funny

As strict as the Apple store is about getting actual useful apps in, and screening all kinds of apps based on one or two system calls, clearly the only way this could have happened is if Storm8 has someone on the Apple App Approval Team who they know. Otherwise, how would something like this have gotten past such a stringent code review?

--
Reeses
1. Re:Clearly an inside job. by Super+Dave+Osbourne · 2009-11-08 06:35 · Score: 2, Interesting
  
  That is of course assuming Apple has a tough scrutiny that is uniform across all apps and all its screeners. I often get the impression that with 1000s of crap apps submitted, and 1000s of crap apps approved, with 1000s of good apps rejected, and even more 1000s of crap apps rejected there is no rhyme or reason to the insanity that still is the approval process at AppStore. To summarize, they do what is necessary to keep it afloat, and no more. Others take advantage of it, and thinking there is some conspiracy at AppStore is as valid in my mind as the argument that this Storm8 upload of PNUM was a mistake/error. Just don't buy it.
2. Re:Clearly an inside job. by SchroedingersCat · 2009-11-08 06:40 · Score: 5, Insightful
  
  They don't have access to the code. Besides, reviewing the code requires non-trivial technical skills. They are checking that apps conform to certain standards. If somebody really wants to plant backdoor into their app then nothing can realy stop them. There must be an explanation for 10000 fart apps in the store. Perhaps some of them have VOIP client built in...
3. Re:Clearly an inside job. by tonycheese · 2009-11-08 06:49 · Score: 1
  
  (Psst... it was a joke. Nice uid, though.)
4. Re:Clearly an inside job. by Super+Dave+Osbourne · 2009-11-08 06:55 · Score: 1
  
  Pretty good one too, just got it. I'm a bit slow today (usually most days) without coffee. Note to self, don't post emotion, post logic, with cream.
5. Re:Clearly an inside job. by chocomilko · 2009-11-08 06:58 · Score: 2, Informative
  
  Apple acknowledges the fact that developers might insert hidden content into their app to skirt the review process. They do warn, however, that they will eventually find out and yank your app -- which is what has happened here.
  Unfortunately, app reviewers literally just install your app on a bunch of devices and tap around the screen to make sure nothing breaks, so any sort of hidden functionality will likely make it past the initial screening.
  For the record... my app, Touch Health, will not steal your phone number.
6. Re:Clearly an inside job. by Anonymous Coward · 2009-11-08 08:17 · Score: 1, Funny
  
  They don't have access to the code. Besides, reviewing the code requires non-trivial technical skills.
  Technical skills. Exactly the sort of thing Mac users don't have.
  "Of the 235 million people in America, only a fraction can use a computer... Introducing Macintosh. For the rest of us." -- Apple Inc.
7. Re:Clearly an inside job. by socsoc · 2009-11-08 14:10 · Score: 1
  
  Thanks, I was worried that an obscure health app would do that. I now know that this isn't merely an attempt for you to get more hits, I was seriously worried that an app with a single review was busy stealing my data.
  I've looked over your bullet points, still wondering where it becomes useful, you really expect emergency personnel to launch your app and find the "emergency contact" ? This is great. Maybe next you can add a method for me to identify myself when my wallet isn't sufficient, wait you already did that...
8. Re:Clearly an inside job. by DavidTC · 2009-11-08 15:05 · Score: 2, Interesting
  
  That is possibly the stupidest review process I've ever heard of.
  Surely Apple has some sort of iPhone emulator they can install on and see what files it accesses.
  Hell, in this case, your phone number is being transmitted in cleartext, which should have been noticed via a sniffing.
  Obviously, nothing could even entirely be 100% sure, (See: Halting problem), but it could be made damn hard for apps to do that sort of stuff.
  At this point, it's looking like Apple's entire 'review' process is solely to keep competitors out. Yes, yes, I've always heard people say that, but I actually believe they were at least also keeping malicious software out.
  
  --
  If corporations are people, aren't stockholders guilty of slavery?
Not so secret .. by Anonymous Coward · 2009-11-08 06:29 · Score: 5, Informative

Getting access to a user's phone number doesn't require a 'secret' code. Any app can do that.
http://blog.timeister.com/2009/06/25/objective-c-get-iphone-number/
yeah, right! by Anonymous Coward · 2009-11-08 06:46 · Score: 5, Insightful

To be fair, given apple's reputation of 'protecting' their users by banning apps for all and sundry stupid reasons, it's only fair to lay the blame on the company for failing to protect against this.

You can't have the cake and eat it too.

But of course, if it's apple - apparently they can, at least here on /.
1. Re:yeah, right! by E+IS+mC(Square) · 2009-11-08 06:48 · Score: 4, Funny
  
  Apparently, having the word 'iphone' in the app name is harmful, but allowing some other app to steal user data is okay - as long as it does not have the name 'iphone' in the app name.
  
  But it's apple!! They can't do no wrong!!
2. Re:yeah, right! by dotgain · 2009-11-08 08:54 · Score: 1
  
  But it's apple!! They can't do no wrong!!
  They're a company, protecting their profits with nary a regard for their customers welfare. They're doing no more wrong than what's expected of any company.
3. Re:yeah, right! by DJRumpy · 2009-11-08 09:01 · Score: 2, Interesting
  
  They never guarantee that they will remove all malware, although they reserve the right to ban any application that is deemed dangerous. Unless they were to visual verify every line of every code of every applications (there are what, over 100,000 apps?) then there is no way they can possibly prevent all malware.
  I for one would prefer that they make the attempt, rather than taking the MS approach of relying on heuristics to identify them.
4. Re:yeah, right! by Turzyx · 2009-11-08 09:53 · Score: 1
  
  Unless they were to visual verify every line of every code of every applications (there are what, over 100,000 apps?) then there is no way they can possibly prevent all malware.
  And yet, all of those 100,000 apps have gone through Apple's verification and approval process. What exactly is involved in that? I would say checking for malicous activity and programs attempting to gain access to privilaged information would be the bear minimum, surely?
  
  IANAL, but a content provider that facilitates distribution of malware/spyware through its portal must be culpable to some extent?
5. Re:yeah, right! by TheRaven64 · 2009-11-08 10:30 · Score: 2, Interesting
  
  The XNU kernel on the iPhone supports fine-grained profiles for restricting what applications can do. If something is a game, then it needs to access the display, write to the app's directory, and nothing else. This should be enforced by the kernel. Apple has even written a policy for this already, which ships with OS X on the desktop (I've never met anyone who uses it, but it's there). There is no excuse for not using this on the iPhone.
  
  --
  I am TheRaven on Soylent News
6. Re:yeah, right! by DJRumpy · 2009-11-08 11:31 · Score: 3, Informative
  
  > IANAL, but a content provider that facilitates distribution of malware/spyware through its portal must be culpable to some extent?
  No they aren't. You should know better if you're on this site. That's like saying the internet providers are responsible for all malware.
  They check apps for content and for duplicated functionality. They don't do a line by line review of every piece of code, nor do they claim to do so.
7. Re:yeah, right! by DJRumpy · 2009-11-08 11:35 · Score: 1
  
  I agree wholeheartedly. Any reasonable security measure that doesn't put undue burden on a developer should absolutely be implemented.
  I suspect they may have to find a way to enforce use of such profiles at some point if they want to keep things tidy. I'm actually surprised they don't do so already.
  I have to wonder if these in-game upgrades go through the same strenuous review process that the initial app does?
8. Re:yeah, right! by Dare+nMc · 2009-11-08 13:35 · Score: 2, Insightful
  
  I would agree, except apple's setup seams to prevent anyone but apple being able to prevent this. Most other platforms you could install a debugger/logger, but that would be banned on any phone that can access the app store. In a open development environment you could have open source apps that the customers can compile themselves insuring any suspicion can be verified in source as intent, again not option in the apple environment. Apple better have a terms of use for application developer so that these suppliers are are in-deed punishable by apple. Since again, the customer only deals with Apple for the applications, it seams to me, Apple should be the first ones to sue these developers, since they are likely to take the most damage from this.
9. Re:yeah, right! by DJRumpy · 2009-11-08 14:05 · Score: 2, Insightful
  
  No play for play software producer would open the source on their currently selling software. At a minimum, should the charges prove true, I would think Apple will yank the app (potentially all apps from that vendor I would think). This is a pay app, not a free one.
  I would also think that legal action, both by individuals, and by Apple is pretty much a given should it prove to be true.
10. Re:yeah, right! by Turzyx · 2009-11-08 15:45 · Score: 1
  
  Sorry, allow me to clarify.
  
  Since it is not possible to buy apps except through the app store, it can be said that Apple is almost the publisher/distributor for these apps.
  
  If I purchased a video game, and it contained malware, then I sure as hell would want the publisher/distributor to take some responsibility for this.
  
  You can't slap your name on a product, sell it, make money from it and take on none of the risk.
11. Re:yeah, right! by DJRumpy · 2009-11-08 16:04 · Score: 1
  
  Again, you're looking to assign blame where none exists. The responsible person is the app developer, not Apple. This same tack was tried with internet providers. If they were opened to legal action due to the malicious intent of others then there would be no internet providers. None would be crazy enough to enter into that legal nightmare. Any digital distribution for online software would be at risk, and would also disappear in short order I would imagine.
  It's obvious you dislike the Apple model and it's closed system, but trying to imply responsibility on Apple for another's malice won't fly, just as it doesn't fly trying to hold internet providers responsible for what their users do. If this app is found to be breaking the rules, I have zero doubt it would be removed from the store and probably deleted from any iPhone that uses it. That is all Apple needs to do to secure it's user base. No further action would be required, other than refunding said purchase price, which I'm sure Apple would be suing the creators for recovery costs.
12. Re:yeah, right! by MightyMartian · 2009-11-08 16:24 · Score: 2, Insightful
  
  One of the chief rationales constantly given for Apple's labyrinthine and bizarre rules is to protect the "experience". If Apple is allowing malware in their store, then I think they should taken to task for screwing with the "experience".
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
13. Re:yeah, right! by DJRumpy · 2009-11-08 16:28 · Score: 1
  
  Are you implying that they knowingly 'allowed' a known app that collects personal information into the App store?
14. Re:yeah, right! by MightyMartian · 2009-11-08 17:18 · Score: 3, Insightful
  
  I'd love to, but sadly, I think it shows the sheer ineptitude of their apps store and undermines the very arguments they use for denying things like full C64 emulators. In short, Apple's excuse is a pile of bullshit. If malware can make it on to the iPhone via the Store, then one of the Store's primary purposes has been undermined, as has Apple's claims about it.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
15. Re:yeah, right! by Thinboy00 · 2009-11-08 18:05 · Score: 1
  
  whoosh!
  
  --
  $ make available
16. Re:yeah, right! by Thinboy00 · 2009-11-08 18:11 · Score: 1
  
  Apples and oranges. ISPs usually don't look at what you're downloading/uploading, and in fact they're not supposed to (ethically, not yet legally). Apple "audits" any app you can put on your iPhone. Since Apple does reject some apps, and doesn't want to say much about what they look for, it is difficult to argue that they are completely in the legal clear given that their auditing process creates a certain expectation of security in the mind of the user. If Apple cannot fulfil that expectation, they might be liable for the consequences. Note that IANAL. Finally, if Apple has some sort of disclaimer to display to the user, they probably are in the clear on this one.
  
  --
  $ make available
17. Re:yeah, right! by ushering05401 · 2009-11-08 19:41 · Score: 1
  
  I don't get what you are saying. Apple vets the apps in the app store. If my ISP attempted to vet my traffic I would want a lawsuit and Congressional hearings.
  Apple audits apps every day, chooses to not carry apps for whatever reasons, de-lists apps after the fact. While it would not surprise me to discover they aren't screening for security, I am pretty sure it will surprise the majority of iPhone owners that I know. They all seem to be under the impression that the app-store is under Apple quality control.
18. Re:yeah, right! by DJRumpy · 2009-11-09 00:28 · Score: 1
  
  Apple doesn't claim to stop Malware. Please point out where they claim this.
19. Re:yeah, right! by DJRumpy · 2009-11-09 00:31 · Score: 1
  
  Apple tells you exactly what their looking for. Obscene material, and apps that duplicate functionality on the core OS within those apps.
  Please point out anywhere on Apples site where they actively scan code for malware. Unless you can find such a claim, then there is no legal basis for your argument..
20. Re:yeah, right! by DJRumpy · 2009-11-09 00:39 · Score: 1
  
  I will repeat for you what I've asked the others. Please point out on Apples site where they claim to scan code for malware. Just because you may think they should be doing something, doesn't' mean they are legally bound to do so. I would go so far as to guarantee that the terms of purchase specify that Apple isn't liable for content purchased via the App store, except possibly for the return price should the app be banned.
21. Re:yeah, right! by MightyMartian · 2009-11-09 04:30 · Score: 1
  
  Apple claims to be protecting the "experience" with their restrictive Store policies. Malware fucks up the experience, wouldn't you say? Besides, the whole argument against the C64 emulator was that somehow, magically, someone could use 6510 assembly language to, well, do the sorts of nasty things that apparently can be done with approved apps. In short, Apple is both incompetent and lying.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
22. Re:yeah, right! by brkello · 2009-11-09 04:42 · Score: 2, Insightful
  
  Eh, that's a load of crap. Apple spews us with ads on how much safer it is than a PC daily with their misleading commercials. But then, when they approve something that runs on an Apple device that steals your data, it's ok?
  
  If you are making the claim that you don't have to worry about viruses and bad people on Apple products, then you better not be sanctioning apps that do exactly that. If they let anyone put anything on the iPhone, this would be different. But since they force you to go through their approval methods, people are going to expect more from them. You can't let them have it both ways.
  
  --
  Support a great indie game: http://www.abaddon360.com
23. Re:yeah, right! by DJRumpy · 2009-11-09 04:44 · Score: 1
  
  I'll ask again. Please post a link to the specific text where Apple guarantee's the 'user experience', or where they guarantee they will find and prevent all malware. Please point out where they 'claim' this.
  You can't.
  You've only proved that you don't like their closed system and frankly, I'm surprised you haven't been marked down for flamebait. Your post seems more based on wishful thinking hoping someone will sue Apple for malware created and injected by a 3rd party with no substance behind it other than your obvious distaste for Apple.
24. Re:yeah, right! by intheshelter · 2009-11-09 04:50 · Score: 1
  
  "it can be said that Apple is almost the publisher/distributor for these apps."
  It can only be said that way if you're hell bent on blaming Apple.
  "You can't slap your name on a product, sell it, make money from it and take on none of the risk."
  - Can you explain to me where Apple slapped their name on these games? I must be missing this part.
  Please try and base your criticism on reality rather than a blind hatred of Apple.
25. Re:yeah, right! by Anonymous Coward · 2009-11-09 04:52 · Score: 0
  
  Are you confused? This is about an iPhone, not a Mac computer. This is not some wild virus. It is an application, sold by a 3rd party, not a virus in the wild.
26. Re:yeah, right! by Halotron1 · 2009-11-09 08:52 · Score: 1
  
  Well, there's an easy way to test this, right?
  Go make an iPhone app that is simply a piece of malware that steals your personal information.
  If Apple rejects it because it "violates their terms and services", then clearly their terms and services cover checking for malware.
27. Re:yeah, right! by Dare+nMc · 2009-11-09 15:32 · Score: 1
  
  it was proven true, intent isn't known. My only point was, their is no easy way to verify a iApp outside of apple, a customer couldn't even verify a app they were given/bought the source for. This one transmitted the info over WiFi link as well, had it only used cell link, who would know?
  Open-sourcing a iphone game doesn't seam too bad. To get it on a phone a player would have to pay $100 to become a developer (or $4 for the app), without that they could play it on a emulator only. The app store is supposed to eliminate duplicates. So updates would be required to give back changes, so any app the developer should have a head start in marketing spin-offs... Seams like a win-win. Besides most iphone apps don't look that difficult to code for a experienced iDeveloper, if you were just wanting to copy a existing app.
28. Re:yeah, right! by Anonymous Coward · 2009-11-10 00:42 · Score: 0
  
  be sure what u have write
29. Re:yeah, right! by Anonymous Coward · 2009-11-13 08:53 · Score: 0
  
  Right, since one bad app got thru let's just screw it! Let'em all thru!! WOOOOOOO WEEEEEEEE! WILD WEST!!!
well well well by Anonymous Coward · 2009-11-08 06:55 · Score: 0

there was me thinking that apple were just a very well marketed firm, one that makes money from sad people who need to express themselves with shiny lifestyle choices.
who'd have thought that they allow this kind of sinister thing to happen!!!!! can they be trusted with your data at all?
maybe this is why the business crowd won't go near the iphone, apart from the battery life, the dropped calls etc.
What Safeguards? by hdurdle · 2009-11-08 07:05 · Score: 5, Informative

How is using standard, documented, code bypassing safeguards?
NSString *telnum = [[NSUserDefaults standardUserDefaults] stringForKey:@"SBFormattedPhoneNumber"];
On most devices - at least those that were activated via iTunes - that will return the phone number. Or null if you're on an iPod Touch.
Okay, so the developer shouldn't have been harvesting this data, and definitely not without protecting it, but I fail to see how this was bypassing safeguards!
1. Re:What Safeguards? by RobTerrell · 2009-11-08 07:43 · Score: 5, Informative
  
  Mod parent up. There's no safeguards. The Cocoa Touch SDK doesn't protect the user's phone number or name. Even the contents of the entire address book are accessed without safeguards. I was amazed to learn that I have to give an app permission to get my location, but meanwhile apps could pull every email address from Contacts and post them to a web server somewhere without my ever knowing.
2. Re:What Safeguards? by Anonymous Coward · 2009-11-08 08:04 · Score: 0
  
  If this is true for the iPhone then I'm going to be seriously pissed off. So pissed off I'll shove the thing down the throat and out the other end of the incompetent moron who sold it me, telling me that it was secure. I am seriously done with Apple products now.
3. Re:What Safeguards? by Anonymous Coward · 2009-11-08 08:14 · Score: 0
  
  Haha, very funny, but we all know your mom wouldn't let you have an iPhone.
4. Re:What Safeguards? by BikeHelmet · 2009-11-08 10:14 · Score: 1
  
  So basically, it was designed with the same philosophy as Windows?
  I can predict how this is going to end!
5. Re:What Safeguards? by TheRaven64 · 2009-11-08 10:34 · Score: 1
  
  Wow, not only is the security bad, that's a really horrible way of storing data. If every app can see it like that then it must be stored in NSGlobalDomain, rather than in the address book's user defaults, and it's stored in a completely unstructured manner. I thought it was impossible to do this in a worse way than the AddressBook framework on OS X (thankfully largely obsoleted now by sync services), but apparently Apple succeeded.
  
  --
  I am TheRaven on Soylent News
6. Re:What Safeguards? by IamTheRealMike · 2009-11-08 10:55 · Score: 4, Interesting
  
  What? Seriously? Why does this never come up in iPhone vs Android reviews? The Android security system isn't perfect, but it does at least tell you what an app will be able to do ahead of time. If I install a game and it wants to read my address book, I think twice.
7. Re:What Safeguards? by Anonymous Coward · 2009-11-08 20:04 · Score: 0
  
  Agreed, this is really odd shit right there. Wouldn't apple also find it odd that a game checks for your phone number?
8. Re:What Safeguards? by Rogerborg · 2009-11-08 20:56 · Score: 1
  
  Overwhelming market domination, with the sore losers claiming a "technical" victory?
  
  --
  If you were blocking sigs, you wouldn't have to read this.
approval process a joke. by Anonymous Coward · 2009-11-08 07:13 · Score: 0

google was able to push private api's in the google iphone app.
other apps were able to by pass the no streaming over 3g by putting a unseen area to touch to enable 3g streaming.
the only thing the approval process does it what apple wants in terms of type of app on its phone.
note to Apple by N!NJA · 2009-11-08 07:13 · Score: 4, Interesting

mass-adoption is a security liability. it must be feared as much as holes and bugs in software. how does it feel to be in Microsoft's shoes? go ahead, fanbois. mod me down.
1. Re:note to Apple by gravos · 2009-11-08 08:18 · Score: 1
  
  Truer words are rarely spoken.
  
  --
  This game will waste your life. Don't clicky!
2. Re:note to Apple by Anonymous Coward · 2009-11-08 08:18 · Score: 0
  
  And security through obscurity is no security at all.
3. Re:note to Apple by Anonymous Coward · 2009-11-08 09:38 · Score: 0
  
  Truer words are rarely spoken.
  Especially by aggressively in-your-face tolls.
4. Re:note to Apple by 140Mandak262Jamuna · 2009-11-08 09:58 · Score: 3, Insightful
  
  mass-adoption is a security liability. it must be feared as much as holes and bugs in software. how does it feel to be in Microsoft's shoes? go ahead, fanbois. mod me down.
  Oh, really? Take a look at the market share of Apache webserver. Now which is more secure? IIS or Apache? They are plump target for every organized crime outfits in the world. They host banks and brokerage accounts that transact trillions of dollars day in day out. And the organized crime outfits don't limit themselves to simple hacker techniques. They would not mind murder and kidnapping and bribing to get passwords or breaking and entering to install key loggers. In that market place Apache shines and IIS lags.
  Mass adoption alone is not a security liability. Mass adoption of closed proprietary protocols, be it Apple, be it Microsoft, be it Diebold, is a security liability. The reason is the main interest of Apples and Microsofts and Diebolds is to sell more of their product. Not security of user data. It is important only as much as it affects sales. If there are other factors that influence sales they will be the preoccupation of these companies, not security of user data.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
5. Re:note to Apple by garote · 2009-11-08 10:30 · Score: 1
  
  Ok, if you insist. ...
  Seriously, you make a good point, but you've deliberately tarnished it by expressing a smarmy - some would call it unnatural - preference for attention from "fanbois".
  Why do you seek them out?
6. Re:note to Apple by ErikZ · 2009-11-08 17:23 · Score: 2, Funny
  
  ...
  Are you saying Apache is Murder-proof?
  How did they test that?
  
  --
  Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
7. Re:note to Apple by brkello · 2009-11-09 04:47 · Score: 1
  
  2 words: bull shit. Anything on the Internet is vulnerable...anything! Closed or open source. Mass adoption just means there is something that hackers can focus on. It means that when they find a vulnerability it works on more machines since something is mass adopted. Is some code more secure than other code? Absolutely. But to say that mass adoption isn't a security risk is naive in the extreme.
  
  --
  Support a great indie game: http://www.abaddon360.com
After all, this is the domain of the big players by deodiaus2 · 2009-11-08 07:15 · Score: 1

Isn't it that it is all right for your carrier (ATT & Verizon) to sell your phone records (Amdocs) to anyone who has a couple of bucks? How dare these little players get into this game. Next thing you know is that customers might start thinking that their financial records are their alone and not the property of their financial institutes. I keep reading more and more about how the 4th Amendment does not apply to records stored on servers, only to records that are physically located in your house. Next thing you know, attorney client privileges will be the property of the attorney who will charge you even more if he has something really incriminating.
Look for a lawyer... by NotQuiteReal · 2009-11-08 07:41 · Score: 1

The complaint seeks class-action status

Even if the "class", um, "wins", it would be something like this; Lawyer gets well paid for all the hard work to bring justice to the world.

iPhone users get a coupon for a free iPhone download or two.

--
This issue is a bit more complicated than you think.
1. Re:Look for a lawyer... by T+Murphy · 2009-11-08 08:25 · Score: 1
  
  ...and app makers have to think harder about their bottom line when collecting user data and not being upfront about it.
  
  --
  My webcomic
This is isn't new by Anonymous Coward · 2009-11-08 07:46 · Score: 2, Informative

You can get device id (often the number) on games/apps from a variety of carriers. We're contractually bound only to use it for reporting back to them. Esp for subscription games. There's that line about sharing info with our partners in nearly every privacy clause, basically we use it to track you but not to market to you.
And yes I've worked in the industry for a while.
Apple's "Security" Focus (or lack their of) by thesandbender · 2009-11-08 07:50 · Score: 4, Interesting

As a recent convert to Apple (short story OS X is a nice balance between Unix and applications I need to use for my client base) I was a little shocked by how nonchalant Apple seems to take user security.

1. MacBook's default to no user authentication which is unacceptable for a portable device that can be stolen or misplaced.
2. The OS X Firewall is disabled by default. Let's assume every OS X component is 100% secure, there's no way that every OS X app is.
3. And as a completely random example... AppleTV only supports WEP. I know this is a nit-picky thing but it shows Apple's indifference. WEP has been thoroughly and completely broken... yet one of Apple's primary devices will not support a more secure protocol. You want to use your new toy you have to downgrade your security.

I like OS X and the new unibody MacBooks just rock... but Apple's shwarmy and basically indifferent attitude to security is going to end up biting them in the arse.
/I've strapped on my fire-proof britches... fire away :)
1. Re:Apple's "Security" Focus (or lack their of) by kegger64 · 2009-11-08 08:08 · Score: 4, Informative
  
  Not a flame, just a correction... the AppleTV supports WPA encription as well as WEP, and has for years. See http://www.engadget.com/2007/04/05/apple-tv-review/ .
  
  --
  653899 - Another prime Slashdot UID
2. Re:Apple's "Security" Focus (or lack their of) by jo_ham · 2009-11-08 08:16 · Score: 2, Interesting
  
  1. If your Macbook is stolen, your data is compromised whether you have user auth on or not, since with an OS X install disk you can reset the admin password. Alternatively they can just boot it in firewire mode and mount the disk on another machine and take your data that way (or physically remove the HD). Unless you specifically set your keychain password to something other than your admin password this also means any password you store in there is compromised too. Are you suggesting that Macbooks ship with Filevault turned on? I would suggest that when you start a new user profile that it recommends that your keychain master password is different from your login password, but this is going to get in the way of a smooth user experience (which is a crummy reason to reduce security, but there is a balance between security and convenience that we all have to decide on) - by default the Mac is pretty open, but you can chose to enable the firewall, create different passwords for your keychain, run as a non-admin user etc etc as you see fit.
  2. Yes, it should be on by default. I have no idea why it isn't.
  3. The Apple TV is a bit of a special case - it should be updated to newer wireless standards, but I assume there is a technical reason why this is not so at the moment. Everything else on current Mac hardware on the wireless front (ie, anything that is g or better) supports at least WPA or WPA2 as well as the more esoteric WPA2 enterprise protocols as well as the less secure WEP stuff for compatibility. If you have an Apple TV on your network, you either need to drop to WEP or hook it up over ethernet - a problem that does need to be addressed.
3. Re:Apple's "Security" Focus (or lack their of) by Anonymous Coward · 2009-11-08 08:31 · Score: 0
  
  1. If your Macbook is stolen, your data is compromised whether you have user auth on or not, since with an OS X install disk you can reset the admin password. Alternatively they can just boot it in firewire mode and mount the disk on another machine and take your data that way ...SNIP
  unless you lock down your firmware that is.
4. Re:Apple's "Security" Focus (or lack their of) by thesandbender · 2009-11-08 08:39 · Score: 1
  
  My point was the *default* protection. Not sure if you mean a BIOS/Firmware password or physically securing your laptop but neither are "default" or even openly recommend by Apple.
5. Re:Apple's "Security" Focus (or lack their of) by jo_ham · 2009-11-08 08:42 · Score: 1
  
  ...which is covered by "physically remove your hard drive" which I wrote literally right after that, but you chose to only partially quote my sentence and leave out that bit. Did you stop reading, or just chose to selectively quote? You can't be karma whoring since you are AC.
6. Re:Apple's "Security" Focus (or lack their of) by thesandbender · 2009-11-08 08:46 · Score: 1
  
  Hmm... I tried it on two different networks and it would not recognize either. One was a Belkin and the other was a Linksys WRT54GL running OpenWRT. Both were broadcasting their ESSID and neither were MAC-filtering. The AppleTV was running the lastest firmware. The only difference I see from your link was that both were running WPA/WPA2 and not just bog standard WPA (though that's what they may have meant). T
7. Re:Apple's "Security" Focus (or lack their of) by thesandbender · 2009-11-08 08:50 · Score: 1
  
  Sorry... distracted by the getting AppleTV to work with WPA post. I actually had a few OSX fanatics tell me it couldn't be done (and experience backed this up). So... short answer... no I didn't read your entire post. Sorry. T
8. Re:Apple's "Security" Focus (or lack their of) by cbreak · 2009-11-08 12:00 · Score: 2, Informative
  
  For 1: User authentication does not help against data loss due to stolen or lost hardware. Local access means root access, unless encryption is used. And Apple can't turn on FileVault by default since users that aren't careful (master password, write their password down and store it in a safe) would just forget their passwords and lose access to their data permanently.
  For 2: The purpose of a firewall is to filter traffic to open ports. Mac OS X has no open ports by default. Any services the user chooses to run have to get a hole in the firewall anyway to work. So how exactly would turning the firewall on by default help the security against intrusion?
9. Re:Apple's "Security" Focus (or lack their of) by windwalkr · 2009-11-08 13:14 · Score: 1
  
  Unless you specifically set your keychain password to something other than your admin password this also means any password you store in there is compromised too.
  This doesn't sound correct. As far as I'm aware, overriding the admin password will not grant access to keychain?
10. Re:Apple's "Security" Focus (or lack their of) by Anonymous Coward · 2009-11-08 13:24 · Score: 0
  
  You are correct. Overriding the admin password will not change the keychain password, and the keychain will remain inaccessible to anyone who didn't have the original admin password.
11. Re:Apple's "Security" Focus (or lack their of) by SuiteSisterMary · 2009-11-09 02:43 · Score: 2, Informative
  
  For 2: The purpose of a firewall is to filter traffic to open ports. Mac OS X has no open ports by default. Any services the user chooses to run have to get a hole in the firewall anyway to work. So how exactly would turning the firewall on by default help the security against intrusion?
  The purpose of a firewall is to filter traffic on open ports. Without a firewall, *all* ports are open, even if there are no daemons listening on them. When you install new software, you are potentially installing a daemon, or a client software. Some people like having firewalls that do the proper job of also filtering outbound traffic.
  
  --
  Vintage computer games and RPG books available. Email me if you're interested.
Privacy applications are available.... by westyvw · 2009-11-08 08:06 · Score: 5, Interesting

If your phone is jailbroken. I do not know if it protects the user form this company, but it does block information that other companies have been known to try and get. Yet Apple is still trying to convince users that the App store is the only safe place for software.
Hope Apple is named in the suit as well by xednieht · 2009-11-08 08:26 · Score: 0, Troll

Their app review process and tight control over the apps (both the epitome of stupidity IMO) make them a prime candidate to be named as defendant. Have not RTFA but hope they get the sued and lose big time for their arrogance. Fuck Steve Jobs.

--

Hope is the currency of fools
Which of these are valid... by SuperKendall · 2009-11-08 08:56 · Score: 3, Informative

MacBook's default to no user authentication which is unacceptable for a portable device that can be stolen or misplaced.
Are you sure about that? Every new Mac I've seen, you have to set up a user account (with password) first. Are you talking about how there is a setting to log you in automatically on restart?
The OS X Firewall is disabled by default. Let's assume every OS X component is 100% secure, there's no way that every OS X app is.
This makes no sense. No ports are open by default, so just what would the firewall be, well, firewalling? With no ports open by default it's pretty much pointless to target any of the services since so few of them are likley to be turned on across the population. That's actually the real reason we've seen no viruses on OS X, because there's no target vector wide enough to be worth the trouble - thus all attacks are trojan style.
If a particular app has a flaw how does a firewall help, if that app choses to listen on a port? Wouldn't it have to do that around the firewall anyway?
And as a completely random example... AppleTV only supports WEP
As stated by other posters, this is not correct.
I like OS X and the new unibody MacBooks just rock... but Apple's shwarmy and basically indifferent attitude to security
I disagree here, I think Apple has been very security conscious in the ways that actually matter most to users.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Which of these are valid... by Anonymous Coward · 2009-11-08 10:56 · Score: 0
  
  So, basically, what you are saying is you are another fanboi who can't tire of sucking Steve Jobs' dick. Well, we already know that!
No private API's in Google app. by SuperKendall · 2009-11-08 08:59 · Score: 1

google was able to push private api's in the google iphone app.
This is false, it was found to simply be a notification they listed to, not an unpublished call they made. When the system calls you, that is not misuse of a private API.
There have been other groups that have snuck use of a few marginal API calls past app testers, but they are cracking down. And as other people noted, you can use the public API's just fine to get at the phone number.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
API rules by phorm · 2009-11-08 11:09 · Score: 1

Well, when I use my "locator" on a 3rd-party apps, then the phone asks me if it's OK the first time around. If it's using an actual API then building a "safelist" and having it ask before sharing other private data shouldn't be so difficult. For a non-jailbroken phone, jailing the apps aware from that private data and requiring the API should make such things pretty hard to get away with.
Slashdot stole my IP! by Anonymous Coward · 2009-11-08 11:42 · Score: 0

Oh noes! My IP address is on the internets! Slashdot must have stoles it! Money please... I mean... lawsuit! Lawsuit!
Purchasing an application on a *mobile phone* - and then complaining that the purchaser knows who you are is, quite frankly, brutally retarded.
SFGate are hypocrites.. by Anonymous Coward · 2009-11-08 11:54 · Score: 0

That idiot who wrote the SFGate article is a shit-eating hypocrite.
Because in order to comment on his site, you have to register. To register you have to provide an email address, zip code, age and gender.
THERE IS NO REASON TO REQUIRE ALL THAT INFORMATION.
1. Re:SFGate are hypocrites.. by Anonymous Coward · 2009-11-08 12:53 · Score: 0
  
  It probably kept you from commenting there, right?
  THERE IS YOUR REASON.
  The number of ridiculous, drooling Mac-hating retards on this site rivals that of Youtube. It's impressive.
Why just the iPhone? by tlhIngan · 2009-11-08 16:37 · Score: 2, Informative

From - http://yro.slashdot.org/comments.pl?sid=1386337&cid=29585841 - every phone OS has ways to get the phone number, much easier than various little hacks to do so. Android, Symbian, Blackberry OS, Windows Mobile. Though to Symbian's credit, you need to do a few tricks (like waiting for a phone call), and Android requires permission.
The interesting question is, how many apps on those platforms already call home? Why is Apple "innovating" in revealing what could be standard practice elsewhere?
1. Re:Why just the iPhone? by Pollardito · 2009-11-09 06:41 · Score: 1
  
  If Android requires permission then this problem is solved for them, put them in the "they're doing it right" column
iPhone and INet by bitten · 2009-11-08 21:46 · Score: 1

What really concerns me with the iPhone is that there is no control for net access.
While every application using GPS must be confirmed internet access is possible.
I would like to see something like a an app-whitelist to manage that.
Turning the data-modes off in the preferences is imho very inconvenient, but of course is
the most secure solution.
Can't get extra security even if you pay for it by Ilgaz · 2009-11-08 22:05 · Score: 1

Sad thing is, the best companies on mobile security (telling from Symbian), Kaspersky and F-Secure won't ship any products to a target of "jailbroken" (hacked) iPhones as they want to maintain a relationship with Apple.
App Store is absolutely impossible since these things run daemons at background, including an app firewall.
So, even if you pay, you won't have any kind of extra privacy or security on iPhone.
PS: I got couple of their games, they have "recruit" feature which pulls up Address Book contacts and sends "invitation" to them without using the built in smtp. One must be real stupid not to get suspicious while REVIEWING the game. App Store approving idiot: I am talking to you.
Contact info is the least of your problems. by Anonymous Coward · 2009-11-08 22:51 · Score: 1, Informative

An application installed on your iPhone "in principle" runs in its own sandbox, but it is quite possible to access, say, your photos. I could write a game which uploaded all your personal photos to my website while you were playing it.
Apple does not check source code. You provide a compiled binary for their review. Accessing stuff outside of your application sandbox *may* get your app rejected, though. I say *may*, because I wrote an iPhone game which used the standard wallpapers as a background. Version 1.0 was accepted. I added ad-support and made it free, resubmitted it as 1.1, and got rejected because I used "Apple copyrighted images". Note that this part of the application wasn't changed at all from the 1.0, accepted version. I pointed dout that the app didn't contain *copies* of those images at all, and that I simply accessed /Library/Wallpapers (paraphrased). After that, I got a mail from the reviewer saying it's not allowed to access data outside my apps sandbox, so it stayed rejected. I then added a few photos to the installer from my own personal photo library and resubmitted. The app then got accepted.
It would probably be a good idea if trying to upload data would trigger an end-user popup, just like accessing the current location (GPS coordinates) currently does. If you hadn't just selected "upload my high-score to the internet", the pop-up would be suspicious and you'd reject it.
On the other hand, the app could simply upload your personal photos while pretending to upload your highscore.
A better solution would probably be to use POSIX permissions to make things unreadable by default, and use the "UAC-style popup" to grant specific permissions. A photo editor which asks to read your camera roll makes sense, but some game probably doesn't have any business there.
Note: I'm not currently doing anything evil, apart from serving ads. I realize that probably is evil enough for the people reading /.
Message on Storm8 forum by Ilgaz · 2009-11-08 23:21 · Score: 1

"Have storm8 pulled their games as they all show in a search but they cannot be downloaded.
I get the following error message:
The item you are trying to buy is no longer available
I can download other apps but no storm8 games?"
It means app is pulled from store either by Apple, Storm8 or some court order thing. I still think we should blame the right guys for this, App store and Apple (SDK).
OS X 10.5+ firewall is app firewall in fact by Ilgaz · 2009-11-08 23:53 · Score: 1

App Firewall does have a nice function where it scans for "listening" (server) applications and pops up when some new listening application (server) launched, asks user whether to allow and sign the binary against future modification which in that case, it will popup again.
They are absolutely stupid to code such a "mac like" app firewall and not enabling it by default. As a good side effect, it could also promote developers sign their apps.
BTW: Check your ports with nmap locally (nmap) or remotely (grc.com) after putting machine to DMZ. Some real needless ports are always open. I am not suggesting we should all run "stealth", it is just they keep that freaking port 88 open, they keep listening via SMB when you basically share a printer etc. Does everyone have to have a damn Windows machine on their networks?
1. Re:OS X 10.5+ firewall is app firewall in fact by SuperKendall · 2009-11-09 04:34 · Score: 2, Informative
  
  BTW: Check your ports with nmap locally (nmap) or remotely (grc.com) after putting machine to DMZ. Some real needless ports are always open.
  But only if you have enabled some services, none of which are enabled by default. That's why it doesn't really matter, because any one service is going to have such a low surface area to attack it's a waste of time to write the exploit - in the general case.
  Companies should always be more cautious because of the potential for espionage, but then they could insist that be turned on. For the average home user I still don't see it as a bad default because few people will ever enable the "sharing" items. An average home user will not share a computer from a desktop Mac, instead they'd be plugging a printer into a computer directly or sharing it via a dedicated device like an Airport Express.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
Storm8 Login sends your phone number + imei by PetoskeyGuy · 2009-11-09 00:30 · Score: 2, Interesting

I don't know if they are doing it like this any more, but all storm8 apps are the same game with different graphics.
1. Connect to storm8 server and send your phone number + imei
2. Server returns a session id you can use for processing your commands
3. basic http queries control the app
This is why when the games first came out you couldn't move your account from one device to another, they used the device id as your user id. They have since implemented portable username but by default they still send all your shit across the network. You can snoop packets and see the phone number of every user that plays on your network.
I wrote a lot of bots for all the games. I haven't played in a few months... Setup an http proxy in your iPhone network settings and all this is very obvious.
1. Re:Storm8 Login sends your phone number + imei by Anonymous Coward · 2009-11-09 11:15 · Score: 0
  
  As far as I can tell, the games do not send your phone number now. I've written a few scripts for these games over the last few weeks. Using Wireshark, the only information that I saw sent to the server that could uniquely identify a user's device was the device's UDID.
Apple's fault. by hesaigo999ca · 2009-11-09 02:28 · Score: 1

Do they not ask for your code as you do a request to be included into the apple iphone app store, then if anyone really bothered to read the code and what it does, such is the job of a security analyst at their submissions department, then they would have caught this code, and would not have allowed such a game to be inserted into the iphone to begin with.
They have a process making it hard visibly only for coders to get their apps in, but guess what, each subsequent version upgrade, should go through the same rigorous process. This is Apple's fault only, and user's should be compensated for the lack of follow through on Apple's side.
Oh, well, now I don't trust Apple anymore, good thing, I was just about to go get myself an iphone too, guess I will just stick with my palm treo.
Technical Support by Anonymous Coward · 2009-11-09 03:15 · Score: 0

Nifty way to offer technical support to people who whine about something in the iTunes App Store, but never seek technical support.
End them by fulldecent · 2009-11-09 04:35 · Score: 1

>> Storm8, a maker of some top iPhone games, allegedly stole users' mobile phone numbers, according to a lawsuit filed on November 4
If this is true, I will post the cheats I made for all the Storm8 games (since they all use the same backend). This will end them.
In the meantime, since nobody else hijacked this thread, it's time to mod me into oblivion:
Kingdoms Live code: y7595v
iMobsters code: p4cq9c
Racing Live code: 5bycax
Vampires Live code: cycvbv
Rockstars Live code: 7da3pt
World war live code: uhpt7s
Zombies Live code: x2q779
Ninjas Live code: k73w4

--
-- I was raised on the command line, bitch
Open Source! by Anonymous Coward · 2009-11-09 07:24 · Score: 0

Just another reason to use an OPEN SOURCE phone OS!
Apple's Privacy Claims to the FCC by Halotron1 · 2009-11-09 09:33 · Score: 1

This is from Apple's letter to the FCC, regarding why they rejected / delayed the Google Voice app:
We created an approval process that reviews every application submitted to Apple for the App Store in order to protect consumer privacy, safeguard children from inappropriate content, and avoid applications that degrade the core experience of the iPhone. Some types of content such as pornography are rejected outright from the App Store, while others such as graphic combat scenes in action games may be approved but with an appropriate age rating. Most rejections are based on bugs found in the applications. When there is an issue, we try to provide the developer with helpful feedback so they can modify the application in order for us to approve it. 95% of applications are approved within 14 days of their submission.
There's an app for that by Anonymous Coward · 2009-11-09 13:55 · Score: 0

If you want a bricked iPhone, there's an app for that you can't refuse.
If you want an exploding battery on an iPhone, there's an app for that.
Here at Crapple, we strive to give you a crappy overpriced product for you fudgepacking, twinkie sucking snobbish faggots out there that have more money than sense.
Classic! by Anonymous Coward · 2009-11-09 14:49 · Score: 0

Steal your User Data ? There's an App for that!
The Symbian approach. by Rexdude · 2009-11-11 06:16 · Score: 1

Symbian S60 3rd (and now 5th) Edition require all native apps to be digitally signed with a developer certificate that has to be bought from their site, and you can't sign up to purchase from a generic webmail account. Different types of certificates grant different permissions to the application for access to user data and handset features like SMS,calls, bluetooth,wifi, GPS etc.(
The handsets also block unsigned applications from being installed, so this also deters casual piracy (since a cracked Symbian application would not have the developer certificate).
Of course, if you're determined, there are utilities to hack the phone's keystore and insert your own certificate there (which can be used to sign the cracked apps that you get.
The bottom line is, this approach works fine for regular users who wouldn't mess around with cracked apps, and yet there's no need for any approval process.
Apple may talk of the end user 'experience', but that should be upto the end user. There are people who overclock their GPUs, replace and tweak their cars' engines and so on, well aware of the risks of screwing up as well as the fact that it voids their warranty. I don't see why such an EULA shouldn't work for Apple. Let those who want to use the Appstore use it, let others who wanna hack the firmware do it and void their warranty.

--
"..One hosts to look them up, one DNS to find them, and in the darkness BIND them."