Think your non-jailbroken iPhone is safe from spyware? It might be time to think again.
New research from a Swiss iPhone developer has exposed a number of exploits that could be used by hackers to sneak spyware into the iTunes store. What’s more, he thinks there may even be spyware on the App Store already.
Nicolas Seriot has created a proof-of-concept app called SpyPhone to show how developers could invade users’ privacy. Seriot’s aim was to create an app that would compromise a user’s private data using only officially sanctioned Apple APIs, no hacking techniques and no links to a user’s Facebook or Twitter account.
In a talk in Geneva this week, Seriot demonstrated how his SpyPhone app could steal a wide variety of user data that could be a goldmine for marketers. This includes:
- The address book (even going as far as editing address book entries without the user’s knowledge)
- Browser history and YouTube searches
- Possible user passwords via keyboard cache records
- A good guess at your location. While a direct request for your location via GPS requires user confirmation, developers can query the maps preferences and weather preferences. A history of some of the places you travel to thanks to your geotagged photos.
Now, you’re probably thinking that there’s no way Apple would allow such software into the App Store, right? Seriot reckons it would be relatively easy to fool Apple into approving a spyware app by delaying deployment of the spyware, encrypting the payload or by using clever coding tricks.
Seriot ended his talk by calling for much tighter security controls on the iPhone, including an outgoing firewall built right into the OS. He also suggested that there is likely to be spyware already going un-noticed on the iTunes Store; a frightening thought.
Given that the iPhone is such a key part in Apple’s future strategy, we wouldn’t be surprised if iPhone OS 4.0, due next summer, features some heavy improvements in the security of the device. Until then you would do well to think twice about trusting Apple’s review process 100% – just in case.
You can read the whole of Nicolas Seriot’s presentation on iPhone security as a PDF file here.
[via The Register]