“Nicolas Seriot, an iPhone developer, presented his findings during a conference in Geneva on iPhone privacy. According to his research, malware could exploit a previously unknown hole to access a user’s e-mail accounts, Safari, and YouTube searches, keyboard cache content, and the Wi-Fi connection logs,” Patrizio reports.
“Most hacks that affect the iPhone are the ones that are unlocked with ‘jailbreak’ utilities… Evidently, however, even iPhones fresh off the shelf could be vulnerable, according to Seriot, who showed how a malicious application could gather personal data from an iPhone without using private APIs,” Patrizio reports.
“Based on his conclusions, a malicious app is free to move around all it wants once inside the system — reading a user’s address book, stealing their phone number, viewing their browser history, and culling other private data from the device,” Patrizio reports. “Apple did not respond to requests for comment.”
Patrizio reports, “Seriot also said that unlike the transmission methods popular among PC malware, iPhone trojans will make their way to the device by way of the Apple App Store. ‘Reviewers can be fooled,’ he noted in his presentation.”
Full article here.
MacDailyNews Take: Apple’s response, if they find the threat to users to be credible, won’t likely be a statement to media, but rather the release of iPhone OS 3.1.3 or higher along with a credit for Seriot in the CVE list.
That’s pretty much nonsense. Obviously Obviously any application on any computer can have malicious payload.
Go to any shareware site, nobody checks code there. So why now claim that iPhone apps have a security hole, when they actually check code there?
Pure baloney FUD!
Yup, just another example of “if you make it insecure, it’ll be more insecure” thinking without any mention of the likelihood.
I could be IN YOUR HOUSE RRIIIGHT NOOOOWWWW! No really. Just give me your address and a key to your house. Oh, and once I get there, I’ll let you know, so don’t look at the door for about 5 minutes once I tell you I’m there. Next thing you know I’m standing behind you KEELIN YER DEUDZ!!!
I could write a program that erases everything on your Mac without it being considered a virus, Trojan, worm, etc.
Like Macguy says – pure FUD.
Macguy: you are right, this is pure FUD.
Even in the worst scenario (a malicious application making its way to the App Store despite the review process), Apple could at any time remove it from the AppStore, delete it remotely from the the user device and go after the malicious developer (every developer has to sign up with the iPhone Developer Program, pay at least $99 a year, and also provide tax and banking information if submitting non-free apps; this is not an anonymous process). This is one of the good reasons why Apple should continue controlling the app submission process…
This just in. Commercial PC and Windoze software can access data on your hard disk. And the sky is blue, too.
Would a developer risk certain detection, $m’s in fines and 10 years in jail.
Unlikely..
Apple has a remote-disable feature they’ve never yet used on the iPhone community. Having some rogue application obtained off of Apples App Store suddenly start stealing customers’ private data is probably when Apple would use the “disable” tool.
The good thing about authors of malware is they are like cockroaches: they work in the dark and require anonymity.
What retard is going to register with Apple, sign agreements with them, and then write some hidden malware for stealing user data when Apple can A) remotely and globally disable his software, and B) come sue his ass and publicly disclose who he is?
Answer: no one.
“may be at risk”
“could exploit”
“Evidently”
“could be vulnerable”
“application could gather”
“Based on his conclusions”
Wake me when someone KNOWS something, not all this “could be” crap.
@Wingsy:
LMAO!!!!
Huh?
An App that Apple sells me.. can access my phone… and my data.
That’s a surprise?
Guess how long that App would stay in Apple’s store?
Guess how long before the virus-author would be prosecuted?
(Developers have to give their name and credit-card info before they can be developers.)
This is FUD for the ignorant, and an obvious shot at the smartphone leader. Not worth the attention MDN is giving it.
Apple tests all Apps during the approval process.
The chances of malware getting through to an iPhone are slim. The chances of getting through to an iPhone anonymously are approaching impossible.
FUD
More FUD from Andy Patrizio? He’s just a hack trying to make a living. He’s been doing it for many years with the help of other tech sites and now MDN. This is getting pretty boring.
http://www.tuaw.com/2007/03/22/fud-windows-is-most-secure-os/
“Security hole” said the nSecure aHole..
Isn’t the automated iPhone app checking software supposed do just that, check for some hidden code among other things. If you have an app that is downloading content directly from some remote server, it can not load a Trojan horse through their app’s little backdoor.
The thing is, with the iPhone there is at very least a mechanism to catch potential malware before it infects the platform. And yet we hear, over and over, what a terrible thing it is that iPhone is a closed system that developers must go through Apple and iTunes, and because of their Draconian rejections of apps, the open source platforms are much better.
Do I have to spell it out for the Androids? They have no protection and they will sooner or later have to install anti-malware software on their phones. That is the lesson this FUD article teaches me.
OMG! If you have glass windows in your home, a thief could shoot a tear-gas canister into your home! creating a denial of service attack on your house! Quick! Secure yourself in a concrete windowless, doorless shelter before these nefarious haXorz target you! For a modest fee, we will protect your home from these evil doers — just call 1-900-Zap-HaXs after midnight; have your credit card ready for faster service…
wow…you actually called someone a retard because they disagreed with you. How offensive to people with special needs. Certainly you know better than to act like a 7th grader.
I can hold the C key at boot, run Disk Utility and choose Erase with 35 pass, wait a few days, do the same to the TimeCapsule across the room, wait a few days, then where would you be? Hmmmmmm?
Ohhhhhh What next: “Every Mac ships with a DVD that can harm your data!” headlines? Scary!!!
Lame.
Say what you will, but I for one am really happy that Apple has a closed system. Yeah, I’ll drink the Kool-Aide if you want to call it that, but mark my words, mark the date and time of this message about this.
The big boasting that Verizon and Google are doing in regards to Android will only go so far. Once that system is hacked beyond recognition by some nefarious bastard, Android will run slower than Windows with all of the protection that it will need.
The idiots who have been proclaiming that Apple’s OS has been secure due to obscurity cannot possibly still be saying this. Proof of concepts continue to roll, but the platform is still stable and under vigilant watch from Apple. Will it be penetrated? I’m certain that it’s only a matter of time, but at least I know that the company is working on avoiding things like this. The same cannot be said for Android, a platform that will be run by many different hardware and software vendors.
You will rue the day that you cursed the closed system. For you it’s only a matter of a short time too and the embarrassment of parading around like some Macho Libre bulldog will come back to haunt you.