Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Cellphones Privacy Apple

Malware Could Grab Data From Stock iPhones 127

Posted by timothy from the swamp-of-bog-standard dept.
Ardisson writes "Swiss iPhone developer Nicolas Seriot presented last night a talk on iPhone Privacy in Geneva. He showed how a malicious application could harvest personal data on a non-jailbroken iPhone (PDF) and without using private APIs. It turns out that the email accounts, the keyboard cache content and the WiFi connection logs are fully accessible. The talk puts up several recommendations. There is also a demo project on github."
This discussion has been archived. No new comments can be posted.

Malware Could Grab Data From Stock iPhones More

Malware Could Grab Data From Stock iPhones

Comments Filter:

  • Re:Obiwan iPhonebi (Score:3, Insightful)

    by JohnBailey ( 1092697 ) on Friday December 04, 2009 @02:37AM (#30321448)

    I felt a great disturbance in the Smug, as if millions of fanboys suddenly cried out in terror and were suddenly silenced.

    Don't be daft.. Nothing can silence fanboys.

  • Re:This isn't any different from any other compute (Score:5, Insightful)

    by SJ ( 13711 ) on Friday December 04, 2009 @02:43AM (#30321474)

    Isn't it more of a case that someone has found a bug, and now it's over to Apple to fix it?

    Or is that just applying far to much logic to an Apple related topic...

  • iPhone security doesn't rely on APIs (Score:5, Insightful)

    by iamacat ( 583406 ) on Friday December 04, 2009 @02:46AM (#30321490)

    It depends on manual app approval process and ability to ban/sue developers who abuse the system. There is probably also a kill switch to delete the app from existing devices that Apple hasn't yet had to activate for catastrophic malware. Runtime-enforced security has been tried with J2ME and nobody liked the app functionality. In fact people are not willing to live with Java's limitations on desktop either. Perhaps someday such a system will become viable with much more powerful mobile hardware and better thought out security system that allows more functional legitimate apps (for example, user will be able to give an app access to some or all e-mail as an intuitive option).

  • Re:This isn't any different from any other compute (Score:5, Insightful)

    by mjwx ( 966435 ) on Friday December 04, 2009 @04:03AM (#30321752)

    It is different from Android, actually. Android runs each app under a separate user ID, and one app can't access another app's data unless the other app explicitly allows it to. Typically this access will go through the standard Android permission system, so the user will see when they install the app that it's requesting permission to read their SMS logs or whatever.

    Whilst I'm not disagreeing with you, Android has a very good security model and enforcing separate UID's and permissions is essential towards that but... This still wont stop the less intellectually endowed users from just clicking yes and permitting malware to read their private data.

    To paraphrase Ron White, there is no pill to fix stupid, you cant fix stupid and neither can Google.

    In other words we'll still suffer from the stupid acts of moronic users, the good part is that more astute users will suffer from less attacks.

  • When you consider what Jailbreak *is* (root-level exploit) I thought this was already fairly well established? Especially when you consider how quickly each successive jailbreak has been released, and how little effort some have required. Say what you will about their histories, but Apple still hasn't gotten the wake-up call regarding how paranoid you really have to be for software security - something MS had thoroughly bashed into its head over the last decade.

    Keyboard cache is a good example - turns out that the keystrokes entered during bootup (such as to enter a hard drive decryption passpharse/PIN) remain in memory and can be retrieved after the system has booted. Obviously, this is a problem for things like TrueCrypt, and Microsoft's BitLocker. Except, by the time the vulnerability was revealed, Microsoft had already fixed it. That kind of twisty thinking is what Apple has yet to show any particular knack for.

  • Nice idea , but too much hassle for Joe Schmoe (Score:5, Insightful)

    by Viol8 ( 599362 ) on Friday December 04, 2009 @07:16AM (#30322382) Homepage

    Just like on Windows , your non techie user is just going to end up learning a pavlovian response to any such permissions dialog and just click OK no matter what. Yes , you can blame the user but ultimately these are supposed to be simple to use gadgets for people who have more important (to them) things in their life to worry about than application access permissions they probably don't even understand. So you can't really blame users for treating a gadget thats marketed as simple to use in a simple way.

  • Microsoft vs Apple? (Score:4, Insightful)

    by dawilcox ( 1409483 ) on Friday December 04, 2009 @10:28AM (#30323420)
    Why is it that every time something like this is discovered for Microsoft, it's their fault because they should have provided a more secure operating system. When something like this happens for other companies, malware is a fact of life.

  • Re:No, no, no. This is English. (Score:1, Insightful)

    by Anonymous Coward on Friday December 04, 2009 @11:05AM (#30323816)

    Did you seriously just tell someone not to be unkind in the same breath as suggesting with little evidence that they've never left their country of origin?

    How's that glass house doing for you? Any cracks yet?

Slashdot Top Deals

HELP!!!! I'm being held prisoner in /usr/games/lib!

Close