Slashdot Mirror


Malware Could Grab Data From Stock iPhones

Ardisson writes "Swiss iPhone developer Nicolas Seriot presented last night a talk on iPhone Privacy in Geneva. He showed how a malicious application could harvest personal data on a non-jailbroken iPhone (PDF) and without using private APIs. It turns out that the email accounts, the keyboard cache content and the WiFi connection logs are fully accessible. The talk puts up several recommendations. There is also a demo project on github."

5 of 127 comments (clear)

  1. Re:This isn't any different from any other compute by SJ · · Score: 4, Insightful

    Isn't it more of a case that someone has found a bug, and now it's over to Apple to fix it?

    Or is that just applying far to much logic to an Apple related topic...

  2. iPhone security doesn't rely on APIs by iamacat · · Score: 4, Insightful

    It depends on manual app approval process and ability to ban/sue developers who abuse the system. There is probably also a kill switch to delete the app from existing devices that Apple hasn't yet had to activate for catastrophic malware. Runtime-enforced security has been tried with J2ME and nobody liked the app functionality. In fact people are not willing to live with Java's limitations on desktop either. Perhaps someday such a system will become viable with much more powerful mobile hardware and better thought out security system that allows more functional legitimate apps (for example, user will be able to give an app access to some or all e-mail as an intuitive option).

  3. Re:This isn't any different from any other compute by mjwx · · Score: 4, Insightful

    It is different from Android, actually. Android runs each app under a separate user ID, and one app can't access another app's data unless the other app explicitly allows it to. Typically this access will go through the standard Android permission system, so the user will see when they install the app that it's requesting permission to read their SMS logs or whatever.

    Whilst I'm not disagreeing with you, Android has a very good security model and enforcing separate UID's and permissions is essential towards that but... This still wont stop the less intellectually endowed users from just clicking yes and permitting malware to read their private data.

    To paraphrase Ron White, there is no pill to fix stupid, you cant fix stupid and neither can Google.

    In other words we'll still suffer from the stupid acts of moronic users, the good part is that more astute users will suffer from less attacks.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
  4. Nice idea , but too much hassle for Joe Schmoe by Viol8 · · Score: 4, Insightful

    Just like on Windows , your non techie user is just going to end up learning a pavlovian response to any such permissions dialog and just click OK no matter what. Yes , you can blame the user but ultimately these are supposed to be simple to use gadgets for people who have more important (to them) things in their life to worry about than application access permissions they probably don't even understand. So you can't really blame users for treating a gadget thats marketed as simple to use in a simple way.

  5. Microsoft vs Apple? by dawilcox · · Score: 4, Insightful

    Why is it that every time something like this is discovered for Microsoft, it's their fault because they should have provided a more secure operating system. When something like this happens for other companies, malware is a fact of life.