Researcher Says App Store Open To Malware
According to Swiss software engineer Nicholas Seriot, Apple’s app approval process is not enough to weed out certain malicious applications form getting into the App Store and being downloaded by millions of users. With the current system, apps disguised as a harmless game or other app could easily be created to harvest user data in the form of their mobile-phone number, address book data, and a notes section of the address book, and then send it to be stored on a web server without the owner knowing.
It turns out that the full Address Book is readable without the user’s knowledge or consent,” Seriot wrote in a white paper (PDF) on the subject. With more effort, the device, location, activities, interests, and friends could also be accessed.
“Consumers should be aware that iPhone security is far from perfect and that a piece of software downloaded from the App Store may still be harmful,” Seriot wrote. “As a basic precaution, users should regularly clean the browser’s recent searches and the keyboard cache in Settings. They should also change or delete the declared phone number, also in Settings.”
To prove his point, he created his own open-source proof-of-concept dubbed “SpyPhone” that can access sensitive information on an iPhone like email addresses and passwords, and the device’s location.
“Safari recent searches, YouTube history, and your keyboard cache give clues about your current interests,” he writes. “These interests are linked with your name and your e-mail addresses, your phone number, and your area. Harvested from large numbers of users, such data have a huge value in the underground market of personal data, and it must be assumed that Trojans are, in fact, exploiting this on the App Store.”