iPhone data harvesting from non-jailbroken devices
Nicholas Seriot, a HES software engineer and iPhone developer and trainer held a presentation 2 days ago in Geneva. The subject of the talk was iPhone privacy. He demonstrated how non-jailbroken devices can be harvested for personal data using malicious applications.
He started the talk by enumerating the various instances of iPhone privacy and security issues that have reached the main press lately: a swiss app for iPhone was banned from the AppStore because after a few days someone would call the users and try to sell them the full version; a number of worms infected jail-broken iPhones in November (5€ ransom worm, Ikee,Duh/Ikee.B, etc.); an iPhone application editor from California is sued because its applications harvest users’ cellphone numbers.
Security firms are itching for a chance to develop an anti-virus solution for the iPhone because – they say – the demand is great.
He goes on to share what the Swiss federal constitution says about privacy: everybody has the right to be protected from the abusive use of personal data (all information that is related to an identifiable or identifi;ed person).
About spyware editors: collecting personal data and personal profiles can land you in prison for up to three years or get you fined.
About End User License Agreements: there has to be a mutual agreement about the right to use personal data, the EULA can’t state that the personal data can be collected if you don’t explicitly state otherwise.
About technical staff responsibility: civil action can be taken against technical staff if they failed to protect your personal data and damage resulted from it.
He explains the methodology of the harvesting (no targeting of jail-broken iPhones, no calls to private APIs, no root shell exploits, no targeting of information voluntarily given by users – such as in Facebook or Twitter profiles) and the various means that can be used to collect your phone number, email address, personal data, search history, region and mobile operator, contacts’ email addresses, GPS and WiFi location, etc.
Finally, he touches the subject of AppStore and the issue of spyware submissions (100 per day!), and gives some general improvement recommendations for Apple and security advice for the personal user.
Take a look at the complete presentation here.