Malware Could Grab Data From Stock iPhones 127
Ardisson writes "Swiss iPhone developer Nicolas Seriot presented last night a talk on iPhone Privacy in Geneva. He showed how a malicious application could harvest personal data on a non-jailbroken iPhone (PDF) and without using private APIs. It turns out that the email accounts, the keyboard cache content and the WiFi connection logs are fully accessible. The talk puts up several recommendations. There is also a demo project on github."
Re:Interesting sources... (Score:3, Interesting)
One other thing of note is that a great deal of this involves poking about in /var/mobile/... at preference and temporary files....Even if you obsfucated the string the filesystem could simply report if anything under that directory were being accessed and what the call stack was like, though I think it unlikely they would go to these lengths.
They'd be better just to lock down access to the files which apps have no business accessing directly - get system apps to save their preferences elsewhere for example, or restrict permissions artificially for sandboxed apps via the filesystem apis and refuse access to all files except the sandbox. That way even if someone gets past the filters (that's a game of whack-a-mole really, and the current controls are easy to defeat) they cannot access the files.
They need to move to restricting access fully at the point of access, not scanning for possible violations at one point in the process (apps may not access files when tested for example).
Also I do think apps that need access to address book records should be forced to ask for permission first (as with location), as often users will not want to provide that information and games etc have no business knowing it.
Re:Nice idea , but too much hassle for Joe Schmoe (Score:3, Interesting)