Apple iPhone security, privacy claims exaggerated, researcher says

Black Hat conference presenter criticised Apple iPhone application security

Apple's claims about iPhone privacy and security are exaggerated, according to software engineer and security expert Nicolas Seriot, who gave a presentation yesterday about the iPhone at the Black Hat Conference in DC.

Apple's sandboxing technology restricts iPhone applications to operating system resources with a list of deny/allow rules at the kernel level, but these and other permissions are "way too loose," and "Apple should not claim that an application cannot access data from another application," said Seriot, who works as an iPhone programming trainer at a company called Sen:te.

Seriot noted a number of iPhone apps, including one called Aurora Feint and another called mogoRoad, that made it into Apple's App Store before being de-listed for privacy violations involving the harvesting of iPhone users' contacts, e-mails and phone numbers. Apple reviewers can be fooled, and the likelihood of this continuing to occur appears high, especially as the iPhone, now at about 34 million devices in the market, becomes an increasingly appealing target for hackers, he said.

Seriot is examining these kinds of issues for some Swiss financial institutions that want to know about iPhone security and privacy. About 8% of iPhones today are believed to be "jailbroken," meaning the user has effectively disabled controls in order to run whatever software he wants, not just what's available in the App Store, and malware aimed at them is starting to grow.

Separate from the jailbroken issue, Seriot has found in his own investigation that sensitive personal data can be picked up just building an application using the known iPhone APIs.

To illustrate why he's skeptical about iPhone privacy and security, Seriot designed what he calls his SpyPhone app (it's not available through official Apple iPhone channels, but intended to illustrate his point). With SpyPhone, it's possible to peer into e-mail addresses, the user account and server information -- though not the password, he said. Recent Safari and YouTube searches are also laid out.

If an iPhone accesses Wi-Fi, information is revealed about what Wi-Fi networks are used, as well "my phone number and the last person dialed," said Seriot, who gave a brief demo of the SpyPhone application he wrote. "What else? Location. When an iPhone app asks for the position of the user, it comes from the cache of the maps application."

Seriot said he thinks Apple should build something akin to an application firewall for the iPhone so that the user can be informed when certain actions start to occur so he can prevent them from happening, such as an app trying to edit the address book.

However, Seriot also said he wasn't in favor of changing the underlying security mechanism so that antimalware software makers might be able to scan for malware or perform other security functions. Several security vendors would like Apple to change the iPhone so their software could be used on it, but Seriot expressed skepticism that these vendors simply want another market for their wares.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags AppleiPhoneblack hat

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?