Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lawsuit Claims Top iPhone Games Stole User Data

Posted by Soulskill on from the shake-up-and-down-to-send-credit-card-details dept.

pdclarry writes "Storm8, a maker of some top iPhone games, allegedly stole users' mobile phone numbers, according to a lawsuit filed on November 4. The suit claims that best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. There have been other reports of applications copying personally identifiable customer information in the past. The complaint seeks class-action status."

45 of 149 comments (clear)

  1. Big Surprise... by Super+Dave+Osbourne · · Score: 3, Insightful

    Is it a real surprise that there are iPhone apps out there that snoop, and bypass safeguards. When will encrypted data at the 2048 and higher bit level make it into the tech we take for granted on a daily basis. If you want safeguards, folks need to start using the stuff out on the market that is free to give them some level of protection against theft. Don't lock the door well, expect thieves, don't weatherize in well, expect to get cold. Don't encrypt your data, expect to lose it to theft.

    1. Re:Big Surprise... by Quantos · · Score: 5, Insightful

      We have to be on guard for this behavior with computers, why are people surprised that it happens with mobile devices? That brings one question to mind though. Do they not verify the applications that are put up on their store?

      --
      Some people are only alive because it's against the law for me to hunt them down and kill them.
    2. Re:Big Surprise... by E+IS+mC(Square) · · Score: 5, Insightful

      >>What's to stop a bad application from bypassing those safeguards?

      Whatever happened to Apple's policy of babysitting their users by allowing only certain apps? Wouldn't this application exactly the kind of crap users should be protected against?

      It's been claimed on /. by appple apologists that that's the way apple protects its users. But apple is actually doing is protecting its pockets by banning applications which takes business away from them or AT&T - while such apps are in the wild - blessed by Apple.

    3. Re:Big Surprise... by CharlyFoxtrot · · Score: 4, Funny

      If you want infallible maybe they should get the pope to do app reviews.

      --
      If all else fails, immortality can always be assured by spectacular error.
    4. Re:Big Surprise... by SleepyHappyDoc · · Score: 5, Insightful

      Encryption wouldn't help here. The API allows access to all kinds of data on the iPhone, which some apps do legitimately require in order to function (for example, a Google Voice-type app would indeed need the user's phone number). Even if the data was encrypted, the iPhone would happily decrypt it and pass it to the app when given the proper API call. The issue here is enforcement. Developers caught doing this kind of thing should be banned from the App Store, and put on some kind of blacklist at Apple so Apple doesn't do further business with them.

      --
      Stasis is death. Embrace change.
    5. Re:Big Surprise... by R3d+M3rcury · · Score: 3, Insightful

      So Apple will try but they may make mistakes. Fair enough.

      But if we accept the fact that mistakes will be made, how is this better than either a "Wild West" approach where anyone can publish applications with no review whatsoever or, conversely, a competitive store approach where some stores will be better than others about evaluating what an app does?

    6. Re:Big Surprise... by jo_ham · · Score: 2, Insightful

      No, you just made a claim about "appple apologists" [sic] that you completely failed to back up. You then threw out your own baseless accusation, again with no citation.

      Textbook flamebait.

      You can replace "Apple" with "MS" or "Sun" or "Verizon" or "Amazon" or "Google" for exactly the same mod result.

    7. Re:Big Surprise... by sjames · · Score: 2, Insightful

      Apple would receive no blame at all here except that they claim to protect users from this sort of thing. In order to provide this "protection", they make developers of potentially useful apps jump through a series of flaming hoops, yet managed to defeat the entire point by allowing the Storm8 games right in. That is, they endorsed the app by screening it for harmful behavior, pronouncing it good, and then offering it in their app store.

      It should be no surprise that if Apple will claim to be providing this protection and then fails to do so, they will catch some heat over it.

      If they had left things open and the same thing happened, instead the comments would be a mixture of "that's what happens when you install random binaries you download from the net" and calls for Storm8 to be treated just like a script kiddie would be if caught. Apple would be left out of it because they neither produced nor endorsed the apps.

      Storm8 proclaims that the data collection was a bug rather than deliberate. If so, that just makes it worse for Apple's claims that they must screen all apps for their user's own good.

    8. Re:Big Surprise... by sjames · · Score: 2, Insightful

      They've had since at least August 27th to correct their oversight (the date when Storm8's behavior was first documented publicly). Considering that it could be verified by just installing one of the listed games and running tcpdump while registering it, I'd have to say they haven't been at all interested in investigating.

      Just to add to it, Storm8 doesn't even deny that the collection happened! They only deny that it is intentional.

    9. Re:Big Surprise... by Antique+Geekmeister · · Score: 2, Insightful

      When will a pony show up and dance the lambada? This has _nothing_ to do with the length of encryption keys, and everything to do with fine-grained data access. Unfortunately, a lot of apps were developed first, and security only thought of later. (Yes, I'm talking about CVS and Subversion and Jabber.) The results are predictable: personal data is not encrypted, and is shared freely to the local filesystem because the developers are not given the time, and the apps are not given the resources, to protect the data more thoroughly.

      This data _should not have been accessible_ to unauthorized applications, true. But encryption in limited hardware like an Iphone is painful to provide at all, due to the speed and space limitations. 2048 is hardly necessary: most such data lives in plain-text, because the authors believe that its your operating system's problem, not yours. (Go look at Subversion's storage of plain-text passwords to see where this leads.)

    10. Re:Big Surprise... by DavidTC · · Score: 2, Insightful

      Exactly.

      Apple is playing both sides here. Either their app store is safe, or it isn't.

      If it isn't safe, 90% of their excuse for not allowing people to download apps from anyone is nonsense.

      --
      If corporations are people, aren't stockholders guilty of slavery?
  2. Clearly an inside job. by Reeses · · Score: 4, Funny

    As strict as the Apple store is about getting actual useful apps in, and screening all kinds of apps based on one or two system calls, clearly the only way this could have happened is if Storm8 has someone on the Apple App Approval Team who they know. Otherwise, how would something like this have gotten past such a stringent code review?

    --
    Reeses
    1. Re:Clearly an inside job. by Super+Dave+Osbourne · · Score: 2, Interesting

      That is of course assuming Apple has a tough scrutiny that is uniform across all apps and all its screeners. I often get the impression that with 1000s of crap apps submitted, and 1000s of crap apps approved, with 1000s of good apps rejected, and even more 1000s of crap apps rejected there is no rhyme or reason to the insanity that still is the approval process at AppStore. To summarize, they do what is necessary to keep it afloat, and no more. Others take advantage of it, and thinking there is some conspiracy at AppStore is as valid in my mind as the argument that this Storm8 upload of PNUM was a mistake/error. Just don't buy it.

    2. Re:Clearly an inside job. by SchroedingersCat · · Score: 5, Insightful

      They don't have access to the code. Besides, reviewing the code requires non-trivial technical skills. They are checking that apps conform to certain standards. If somebody really wants to plant backdoor into their app then nothing can realy stop them. There must be an explanation for 10000 fart apps in the store. Perhaps some of them have VOIP client built in...

    3. Re:Clearly an inside job. by chocomilko · · Score: 2, Informative
      Apple acknowledges the fact that developers might insert hidden content into their app to skirt the review process. They do warn, however, that they will eventually find out and yank your app -- which is what has happened here.

      Unfortunately, app reviewers literally just install your app on a bunch of devices and tap around the screen to make sure nothing breaks, so any sort of hidden functionality will likely make it past the initial screening.

      For the record... my app, Touch Health, will not steal your phone number.

    4. Re:Clearly an inside job. by DavidTC · · Score: 2, Interesting

      That is possibly the stupidest review process I've ever heard of.

      Surely Apple has some sort of iPhone emulator they can install on and see what files it accesses.

      Hell, in this case, your phone number is being transmitted in cleartext, which should have been noticed via a sniffing.

      Obviously, nothing could even entirely be 100% sure, (See: Halting problem), but it could be made damn hard for apps to do that sort of stuff.

      At this point, it's looking like Apple's entire 'review' process is solely to keep competitors out. Yes, yes, I've always heard people say that, but I actually believe they were at least also keeping malicious software out.

      --
      If corporations are people, aren't stockholders guilty of slavery?
  3. Not so secret .. by Anonymous Coward · · Score: 5, Informative

    Getting access to a user's phone number doesn't require a 'secret' code. Any app can do that.

    http://blog.timeister.com/2009/06/25/objective-c-get-iphone-number/

  4. yeah, right! by Anonymous Coward · · Score: 5, Insightful

    To be fair, given apple's reputation of 'protecting' their users by banning apps for all and sundry stupid reasons, it's only fair to lay the blame on the company for failing to protect against this.

    You can't have the cake and eat it too.

    But of course, if it's apple - apparently they can, at least here on /.

    1. Re:yeah, right! by E+IS+mC(Square) · · Score: 4, Funny

      Apparently, having the word 'iphone' in the app name is harmful, but allowing some other app to steal user data is okay - as long as it does not have the name 'iphone' in the app name.

      But it's apple!! They can't do no wrong!!

    2. Re:yeah, right! by DJRumpy · · Score: 2, Interesting

      They never guarantee that they will remove all malware, although they reserve the right to ban any application that is deemed dangerous. Unless they were to visual verify every line of every code of every applications (there are what, over 100,000 apps?) then there is no way they can possibly prevent all malware.

      I for one would prefer that they make the attempt, rather than taking the MS approach of relying on heuristics to identify them.

    3. Re:yeah, right! by TheRaven64 · · Score: 2, Interesting

      The XNU kernel on the iPhone supports fine-grained profiles for restricting what applications can do. If something is a game, then it needs to access the display, write to the app's directory, and nothing else. This should be enforced by the kernel. Apple has even written a policy for this already, which ships with OS X on the desktop (I've never met anyone who uses it, but it's there). There is no excuse for not using this on the iPhone.

      --
      I am TheRaven on Soylent News
    4. Re:yeah, right! by DJRumpy · · Score: 3, Informative

      > IANAL, but a content provider that facilitates distribution of malware/spyware through its portal must be culpable to some extent?

      No they aren't. You should know better if you're on this site. That's like saying the internet providers are responsible for all malware.

      They check apps for content and for duplicated functionality. They don't do a line by line review of every piece of code, nor do they claim to do so.

    5. Re:yeah, right! by Dare+nMc · · Score: 2, Insightful

      I would agree, except apple's setup seams to prevent anyone but apple being able to prevent this. Most other platforms you could install a debugger/logger, but that would be banned on any phone that can access the app store. In a open development environment you could have open source apps that the customers can compile themselves insuring any suspicion can be verified in source as intent, again not option in the apple environment. Apple better have a terms of use for application developer so that these suppliers are are in-deed punishable by apple. Since again, the customer only deals with Apple for the applications, it seams to me, Apple should be the first ones to sue these developers, since they are likely to take the most damage from this.

    6. Re:yeah, right! by DJRumpy · · Score: 2, Insightful

      No play for play software producer would open the source on their currently selling software. At a minimum, should the charges prove true, I would think Apple will yank the app (potentially all apps from that vendor I would think). This is a pay app, not a free one.

      I would also think that legal action, both by individuals, and by Apple is pretty much a given should it prove to be true.

    7. Re:yeah, right! by MightyMartian · · Score: 2, Insightful

      One of the chief rationales constantly given for Apple's labyrinthine and bizarre rules is to protect the "experience". If Apple is allowing malware in their store, then I think they should taken to task for screwing with the "experience".

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    8. Re:yeah, right! by MightyMartian · · Score: 3, Insightful

      I'd love to, but sadly, I think it shows the sheer ineptitude of their apps store and undermines the very arguments they use for denying things like full C64 emulators. In short, Apple's excuse is a pile of bullshit. If malware can make it on to the iPhone via the Store, then one of the Store's primary purposes has been undermined, as has Apple's claims about it.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    9. Re:yeah, right! by brkello · · Score: 2, Insightful

      Eh, that's a load of crap. Apple spews us with ads on how much safer it is than a PC daily with their misleading commercials. But then, when they approve something that runs on an Apple device that steals your data, it's ok?

      If you are making the claim that you don't have to worry about viruses and bad people on Apple products, then you better not be sanctioning apps that do exactly that. If they let anyone put anything on the iPhone, this would be different. But since they force you to go through their approval methods, people are going to expect more from them. You can't let them have it both ways.

      --
      Support a great indie game: http://www.abaddon360.com
  5. What Safeguards? by hdurdle · · Score: 5, Informative

    How is using standard, documented, code bypassing safeguards?

    NSString *telnum = [[NSUserDefaults standardUserDefaults] stringForKey:@"SBFormattedPhoneNumber"];

    On most devices - at least those that were activated via iTunes - that will return the phone number. Or null if you're on an iPod Touch.

    Okay, so the developer shouldn't have been harvesting this data, and definitely not without protecting it, but I fail to see how this was bypassing safeguards!

    1. Re:What Safeguards? by RobTerrell · · Score: 5, Informative

      Mod parent up. There's no safeguards. The Cocoa Touch SDK doesn't protect the user's phone number or name. Even the contents of the entire address book are accessed without safeguards. I was amazed to learn that I have to give an app permission to get my location, but meanwhile apps could pull every email address from Contacts and post them to a web server somewhere without my ever knowing.

    2. Re:What Safeguards? by IamTheRealMike · · Score: 4, Interesting

      What? Seriously? Why does this never come up in iPhone vs Android reviews? The Android security system isn't perfect, but it does at least tell you what an app will be able to do ahead of time. If I install a game and it wants to read my address book, I think twice.

  6. note to Apple by N!NJA · · Score: 4, Interesting

    mass-adoption is a security liability. it must be feared as much as holes and bugs in software. how does it feel to be in Microsoft's shoes? go ahead, fanbois. mod me down.

    1. Re:note to Apple by 140Mandak262Jamuna · · Score: 3, Insightful

      mass-adoption is a security liability. it must be feared as much as holes and bugs in software. how does it feel to be in Microsoft's shoes? go ahead, fanbois. mod me down.

      Oh, really? Take a look at the market share of Apache webserver. Now which is more secure? IIS or Apache? They are plump target for every organized crime outfits in the world. They host banks and brokerage accounts that transact trillions of dollars day in day out. And the organized crime outfits don't limit themselves to simple hacker techniques. They would not mind murder and kidnapping and bribing to get passwords or breaking and entering to install key loggers. In that market place Apache shines and IIS lags.

      Mass adoption alone is not a security liability. Mass adoption of closed proprietary protocols, be it Apple, be it Microsoft, be it Diebold, is a security liability. The reason is the main interest of Apples and Microsofts and Diebolds is to sell more of their product. Not security of user data. It is important only as much as it affects sales. If there are other factors that influence sales they will be the preoccupation of these companies, not security of user data.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    2. Re:note to Apple by ErikZ · · Score: 2, Funny

      ...
      Are you saying Apache is Murder-proof?

      How did they test that?

      --
      Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
  7. Re:App Testing by Jackie_Chan_Fan · · Score: 5, Informative

    skype, opera, flash, and c64 emulators

  8. This is isn't new by Anonymous Coward · · Score: 2, Informative

    You can get device id (often the number) on games/apps from a variety of carriers. We're contractually bound only to use it for reporting back to them. Esp for subscription games. There's that line about sharing info with our partners in nearly every privacy clause, basically we use it to track you but not to market to you.

    And yes I've worked in the industry for a while.

  9. Apple's "Security" Focus (or lack their of) by thesandbender · · Score: 4, Interesting

    As a recent convert to Apple (short story OS X is a nice balance between Unix and applications I need to use for my client base) I was a little shocked by how nonchalant Apple seems to take user security.

    1. MacBook's default to no user authentication which is unacceptable for a portable device that can be stolen or misplaced.
    2. The OS X Firewall is disabled by default. Let's assume every OS X component is 100% secure, there's no way that every OS X app is.
    3. And as a completely random example... AppleTV only supports WEP. I know this is a nit-picky thing but it shows Apple's indifference. WEP has been thoroughly and completely broken... yet one of Apple's primary devices will not support a more secure protocol. You want to use your new toy you have to downgrade your security.

    I like OS X and the new unibody MacBooks just rock... but Apple's shwarmy and basically indifferent attitude to security is going to end up biting them in the arse.
    /I've strapped on my fire-proof britches... fire away :)

    1. Re:Apple's "Security" Focus (or lack their of) by kegger64 · · Score: 4, Informative

      Not a flame, just a correction... the AppleTV supports WPA encription as well as WEP, and has for years. See http://www.engadget.com/2007/04/05/apple-tv-review/ .

      --
      653899 - Another prime Slashdot UID
    2. Re:Apple's "Security" Focus (or lack their of) by jo_ham · · Score: 2, Interesting

      1. If your Macbook is stolen, your data is compromised whether you have user auth on or not, since with an OS X install disk you can reset the admin password. Alternatively they can just boot it in firewire mode and mount the disk on another machine and take your data that way (or physically remove the HD). Unless you specifically set your keychain password to something other than your admin password this also means any password you store in there is compromised too. Are you suggesting that Macbooks ship with Filevault turned on? I would suggest that when you start a new user profile that it recommends that your keychain master password is different from your login password, but this is going to get in the way of a smooth user experience (which is a crummy reason to reduce security, but there is a balance between security and convenience that we all have to decide on) - by default the Mac is pretty open, but you can chose to enable the firewall, create different passwords for your keychain, run as a non-admin user etc etc as you see fit.

      2. Yes, it should be on by default. I have no idea why it isn't.

      3. The Apple TV is a bit of a special case - it should be updated to newer wireless standards, but I assume there is a technical reason why this is not so at the moment. Everything else on current Mac hardware on the wireless front (ie, anything that is g or better) supports at least WPA or WPA2 as well as the more esoteric WPA2 enterprise protocols as well as the less secure WEP stuff for compatibility. If you have an Apple TV on your network, you either need to drop to WEP or hook it up over ethernet - a problem that does need to be addressed.

    3. Re:Apple's "Security" Focus (or lack their of) by cbreak · · Score: 2, Informative

      For 1: User authentication does not help against data loss due to stolen or lost hardware. Local access means root access, unless encryption is used. And Apple can't turn on FileVault by default since users that aren't careful (master password, write their password down and store it in a safe) would just forget their passwords and lose access to their data permanently.
      For 2: The purpose of a firewall is to filter traffic to open ports. Mac OS X has no open ports by default. Any services the user chooses to run have to get a hole in the firewall anyway to work. So how exactly would turning the firewall on by default help the security against intrusion?

    4. Re:Apple's "Security" Focus (or lack their of) by SuiteSisterMary · · Score: 2, Informative

      For 2: The purpose of a firewall is to filter traffic to open ports. Mac OS X has no open ports by default. Any services the user chooses to run have to get a hole in the firewall anyway to work. So how exactly would turning the firewall on by default help the security against intrusion?

      The purpose of a firewall is to filter traffic on open ports. Without a firewall, *all* ports are open, even if there are no daemons listening on them. When you install new software, you are potentially installing a daemon, or a client software. Some people like having firewalls that do the proper job of also filtering outbound traffic.

      --
      Vintage computer games and RPG books available. Email me if you're interested.
  10. Privacy applications are available.... by westyvw · · Score: 5, Interesting

    If your phone is jailbroken. I do not know if it protects the user form this company, but it does block information that other companies have been known to try and get. Yet Apple is still trying to convince users that the App store is the only safe place for software.

  11. Which of these are valid... by SuperKendall · · Score: 3, Informative

    MacBook's default to no user authentication which is unacceptable for a portable device that can be stolen or misplaced.

    Are you sure about that? Every new Mac I've seen, you have to set up a user account (with password) first. Are you talking about how there is a setting to log you in automatically on restart?

    The OS X Firewall is disabled by default. Let's assume every OS X component is 100% secure, there's no way that every OS X app is.

    This makes no sense. No ports are open by default, so just what would the firewall be, well, firewalling? With no ports open by default it's pretty much pointless to target any of the services since so few of them are likley to be turned on across the population. That's actually the real reason we've seen no viruses on OS X, because there's no target vector wide enough to be worth the trouble - thus all attacks are trojan style.

    If a particular app has a flaw how does a firewall help, if that app choses to listen on a port? Wouldn't it have to do that around the firewall anyway?

    And as a completely random example... AppleTV only supports WEP

    As stated by other posters, this is not correct.

    I like OS X and the new unibody MacBooks just rock... but Apple's shwarmy and basically indifferent attitude to security

    I disagree here, I think Apple has been very security conscious in the ways that actually matter most to users.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  12. Why just the iPhone? by tlhIngan · · Score: 2, Informative

    From - http://yro.slashdot.org/comments.pl?sid=1386337&cid=29585841 - every phone OS has ways to get the phone number, much easier than various little hacks to do so. Android, Symbian, Blackberry OS, Windows Mobile. Though to Symbian's credit, you need to do a few tricks (like waiting for a phone call), and Android requires permission.

    The interesting question is, how many apps on those platforms already call home? Why is Apple "innovating" in revealing what could be standard practice elsewhere?

  13. Storm8 Login sends your phone number + imei by PetoskeyGuy · · Score: 2, Interesting

    I don't know if they are doing it like this any more, but all storm8 apps are the same game with different graphics.

    1. Connect to storm8 server and send your phone number + imei
    2. Server returns a session id you can use for processing your commands
    3. basic http queries control the app

    This is why when the games first came out you couldn't move your account from one device to another, they used the device id as your user id. They have since implemented portable username but by default they still send all your shit across the network. You can snoop packets and see the phone number of every user that plays on your network.

    I wrote a lot of bots for all the games. I haven't played in a few months... Setup an http proxy in your iPhone network settings and all this is very obvious.

  14. Re:OS X 10.5+ firewall is app firewall in fact by SuperKendall · · Score: 2, Informative

    BTW: Check your ports with nmap locally (nmap) or remotely (grc.com) after putting machine to DMZ. Some real needless ports are always open.

    But only if you have enabled some services, none of which are enabled by default. That's why it doesn't really matter, because any one service is going to have such a low surface area to attack it's a waste of time to write the exploit - in the general case.

    Companies should always be more cautious because of the potential for espionage, but then they could insist that be turned on. For the average home user I still don't see it as a bad default because few people will ever enable the "sharing" items. An average home user will not share a computer from a desktop Mac, instead they'd be plugging a printer into a computer directly or sharing it via a dedicated device like an Airport Express.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley