Malware Could Grab Data From Stock iPhones 127
Ardisson writes "Swiss iPhone developer Nicolas Seriot presented last night a talk on iPhone Privacy in Geneva. He showed how a malicious application could harvest personal data on a non-jailbroken iPhone (PDF) and without using private APIs. It turns out that the email accounts, the keyboard cache content and the WiFi connection logs are fully accessible. The talk puts up several recommendations. There is also a demo project on github."
Re:Obiwan iPhonebi (Score:3, Insightful)
I felt a great disturbance in the Smug, as if millions of fanboys suddenly cried out in terror and were suddenly silenced.
Don't be daft.. Nothing can silence fanboys.
Re:This isn't any different from any other compute (Score:5, Insightful)
Isn't it more of a case that someone has found a bug, and now it's over to Apple to fix it?
Or is that just applying far to much logic to an Apple related topic...
iPhone security doesn't rely on APIs (Score:5, Insightful)
It depends on manual app approval process and ability to ban/sue developers who abuse the system. There is probably also a kill switch to delete the app from existing devices that Apple hasn't yet had to activate for catastrophic malware. Runtime-enforced security has been tried with J2ME and nobody liked the app functionality. In fact people are not willing to live with Java's limitations on desktop either. Perhaps someday such a system will become viable with much more powerful mobile hardware and better thought out security system that allows more functional legitimate apps (for example, user will be able to give an app access to some or all e-mail as an intuitive option).
Re:This isn't any different from any other compute (Score:5, Insightful)
Whilst I'm not disagreeing with you, Android has a very good security model and enforcing separate UID's and permissions is essential towards that but... This still wont stop the less intellectually endowed users from just clicking yes and permitting malware to read their private data.
To paraphrase Ron White, there is no pill to fix stupid, you cant fix stupid and neither can Google.
In other words we'll still suffer from the stupid acts of moronic users, the good part is that more astute users will suffer from less attacks.
Re:This isn't any different from any other compute (Score:4, Insightful)
When you consider what Jailbreak *is* (root-level exploit) I thought this was already fairly well established? Especially when you consider how quickly each successive jailbreak has been released, and how little effort some have required. Say what you will about their histories, but Apple still hasn't gotten the wake-up call regarding how paranoid you really have to be for software security - something MS had thoroughly bashed into its head over the last decade.
Keyboard cache is a good example - turns out that the keystrokes entered during bootup (such as to enter a hard drive decryption passpharse/PIN) remain in memory and can be retrieved after the system has booted. Obviously, this is a problem for things like TrueCrypt, and Microsoft's BitLocker. Except, by the time the vulnerability was revealed, Microsoft had already fixed it. That kind of twisty thinking is what Apple has yet to show any particular knack for.
Nice idea , but too much hassle for Joe Schmoe (Score:5, Insightful)
Just like on Windows , your non techie user is just going to end up learning a pavlovian response to any such permissions dialog and just click OK no matter what. Yes , you can blame the user but ultimately these are supposed to be simple to use gadgets for people who have more important (to them) things in their life to worry about than application access permissions they probably don't even understand. So you can't really blame users for treating a gadget thats marketed as simple to use in a simple way.
Microsoft vs Apple? (Score:4, Insightful)
Re:No, no, no. This is English. (Score:1, Insightful)
Did you seriously just tell someone not to be unkind in the same breath as suggesting with little evidence that they've never left their country of origin?
How's that glass house doing for you? Any cracks yet?