• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Beware The Rogue App


    It sounds like a lame character from one too many X-Men sequels. But the concept of a "rogue app" is a reality for many. We've all stumbled across more than a few suspicious iPhone applications that make one wonder if the folks behind the app have ulterior motives for rolling it out.

    Making bold claims and accusations against the purveyors of malicious applications is Nicolas Seriot from the Swiss University of Applied Sciences. Nick is speaking today in Washington DC at Blac Hat DC 2010. His argument? Be afraid. Be very afraid. More importantly, however, be cautious. Be very cautious.

    This presentation will discuss iPhone privacy issues and challenge Apple's stance and assertions regarding iPhone security. The presentation will also show how a rogue application can access substantial quantities of personal data on an unmodified device and expose how it could go unnoticed in spite of AppStore tight reviews.
    During the presentation, the text and video of which are expected to be released later, Seriot wasted no time extolling the dangers of otherwise "harmless apps" that harbor unsavory secrets - namely, their ability to spy on you and soak up personal and highly sensitive data - all of which could fall into the wrong hands at the right price.

    Proof? Seriot, a software engineer in his own right, created spyware called "SpyPhone" which has proven to successfully
    access everything from Safari searches to sensitive e-mail account information like username and password. It's a cyber
    thief's dream and a stalker's paradise. For the rest of us, however, it's a nightmare waiting to happen.

    What's the point of all this? To raise our level of consciousness about the dangers of the App Store. Should we tremble over the theories proposed by Seriot? Of course not. But it is about time for many of us to rouse ourselves from a state of security complacency and realize that legitimate dangers are prowling the App Store, and Apple is simply incapable of doing all the protection for us. Often times, we have to do it ourselves.
    This article was originally published in forum thread: Beware The Rogue App started by Michael Essany View original post
    Comments 22 Comments
    1. arem's Avatar
      arem -
      It's true.
      The iPhone does need a revamp in security to remain safe.
      Jailbreakers can take extra steps toward security than OTB users though. I'm thankful for that.
    1. jd1992's Avatar
      jd1992 -
      soooo..what do we do ? lol idk you always hear things like this aand suddenly the hype dies so im not to worried
    1. Plotkin35's Avatar
      Plotkin35 -
      You spelled Beware wrong in the Photo for the article. :-) Bewware...not sure if that was on purpose as a play on Rogue apps?
    1. Bernie-Mac's Avatar
      Bernie-Mac -
      Quote Originally Posted by Plotkin35 View Post
      You spelled Beware wrong in the Photo for the article. :-) Bewware...not sure if that was on purpose as a play on Rogue apps?
      wow
    1. Michael Essany's Avatar
      Michael Essany -
      Totally meant to do that NOT. Thanks for catching my sticky double W keyboard
    1. barno909's Avatar
      barno909 -
      I'd be interested to know how a hacker would go about doing this since Apple supposedly doesn't allow multitasking. So it's obviously not recording keystrokes/touches... I wonder if he/she's some how able to modify the 'Allow app to use current location' function to get more than just the GPS data to grab said sensitive data. Very creative, unfortunately how is any one able to know if they've even downloaded a corrupt app.
    1. sziklassy's Avatar
      sziklassy -
      Things like this just go to prove that no system is completely safe. Apple has touted how it has the safest OS ever. The fact of the matter is it has been the safest because frankly nobody cared. MANY people worldwide can be effected by attacking the iPhone OS, so hackers are much more interested. For every hole that is patched up another is found, as should be crystal clear with jailbreaking and unlocking...
    1. ukoda's Avatar
      ukoda -
      Isn't this the whole justification for the Apple closed shop approval process? I thought Apple was vetting all apps so the world would be safe? If bad stuff is getting thru then Apple's justification for it war against jail breaking losses some of it's creditability.
    1. drm309's Avatar
      drm309 -
      Does this refer to the apps that talk to the network all of the time? Those are the apps that kill the battery life and is so annoying. Case in Point: New York Tines app. I'll have the phone locked, and i hear constant GSM interference which tells me that the app is still talking to the net. I even turned Fetch/Push off and it still did it. I noticed when I deleted the app, the battery life increased and the GSM interference was gone...I know there are more apps like that. Would that be a security threat secretly talking to the devs??
    1. Sevael's Avatar
      Sevael -
      I don't buy it.

      He says he created iPhone spyware. I could say that I created iPhone spyware too. Where is it? How many phones is it on? Where's the proof that it ever existed and that even a single person ever had it on their phone, and furthermore, that it actually worked and retrieved data for him? And then we would need proof that it was on the App Store, successfully approved by Apple regardless of the malicious code within.

      Sounds like Chicken Little to me.

      Besides, how many people actually have useful info on their phones that these questionable app makers would be after? I bet virtually none. If anyone wanted to take all the time required to sift through my emails or listen to all my conversations or view my browsing habits, be my guest. They won't find anything useful. I'm sure this is the case with 99% of iPhone users. Anybody willing to use things like credit card numbers over celluar data waves is already taking risks and knows what they're getting themselves into (I hope). The worst 'rogue app' coders could do is get passwords to websites, like this one. OMG, somebody's going to come on here and post in my name! The world is over, oh noes! Pfft.
    1. WaLLy3K's Avatar
      WaLLy3K -
      Quote Originally Posted by Sevael View Post
      I don't buy it.

      He says he created iPhone spyware. I could say that I created iPhone spyware too. Where is it? How many phones is it on? Where's the proof that it ever existed and that even a single person ever had it on their phone, and furthermore, that it actually worked and retrieved data for him? And then we would need proof that it was on the App Store, successfully approved by Apple regardless of the malicious code within.

      Sounds like Chicken Little to me.

      Besides, how many people actually have useful info on their phones that these questionable app makers would be after? I bet virtually none. If anyone wanted to take all the time required to sift through my emails or listen to all my conversations or view my browsing habits, be my guest. They won't find anything useful. I'm sure this is the case with 99% of iPhone users. Anybody willing to use things like credit card numbers over celluar data waves is already taking risks and knows what they're getting themselves into (I hope). The worst 'rogue app' coders could do is get passwords to websites, like this one. OMG, somebody's going to come on here and post in my name! The world is over, oh noes! Pfft.
      I think more to the point is that this can be done through the official SDK and even if it gets ONE credit card number, or password to a corporate site, things can go from bad (the fact that these things were used over unsecure channels) to worse where they're being exploited.

      This could even be in something like the Foxtel app which was always claimed to take your phone number and surfing habits. It has the potential of passing the AppStore scrutiny and getting onto Joe Blogs phone who got the phone because he was cool and wasn't smart or "geeky" enough to know how to be security conscious.

      Not everyone's like you where they have very little to hide and the fact is, there are places and/or people out there that would want to pay for this kind of semi private info that could potentially be personally identifiable. I don't care if it's my IBM work contacts or my girlfriends number, location and date of birth, they shouldn't be able to get that PERIOD.
    1. badass1469's Avatar
      badass1469 -
      lol wen u download corrupted data it wont work and it will tell u its corrupted, as for a virus/spyware theres not much to do to find out if u have dl'ed it
    1. bengo's Avatar
      bengo -
      Quote Originally Posted by Sevael View Post
      I don't buy it.

      He says he created iPhone spyware. I could say that I created iPhone spyware too. Where is it? How many phones is it on? Where's the proof that it ever existed and that even a single person ever had it on their phone, and furthermore, that it actually worked and retrieved data for him? And then we would need proof that it was on the App Store, successfully approved by Apple regardless of the malicious code within.

      Sounds like Chicken Little to me.

      Besides, how many people actually have useful info on their phones that these questionable app makers would be after? I bet virtually none. If anyone wanted to take all the time required to sift through my emails or listen to all my conversations or view my browsing habits, be my guest. They won't find anything useful. I'm sure this is the case with 99% of iPhone users. Anybody willing to use things like credit card numbers over celluar data waves is already taking risks and knows what they're getting themselves into (I hope). The worst 'rogue app' coders could do is get passwords to websites, like this one. OMG, somebody's going to come on here and post in my name! The world is over, oh noes! Pfft.
      First of all, his iPhone spyware app is probably a proof of concept you dumb ****.

      Second of all, people could have a lot of sensitive info on their iPhone. Depending what they do with it, they could have credit card information, bank account information, people's phone numbers, addresses, etc. Most people's iTunes account is linked to a credit card account... Ever heard of identity theft?
    1. mortopher's Avatar
      mortopher -
      Hmmm now I want to know what that official white house app actually does!
    1. adp's Avatar
      adp -
      Quote Originally Posted by Sevael View Post
      I don't buy it.

      He says he created iPhone spyware. I could say that I created iPhone spyware too. Where is it? How many phones is it on? Where's the proof that it ever existed and that even a single person ever had it on their phone, and furthermore, that it actually worked and retrieved data for him? And then we would need proof that it was on the App Store, successfully approved by Apple regardless of the malicious code within.

      Sounds like Chicken Little to me.

      Besides, how many people actually have useful info on their phones that these questionable app makers would be after? I bet virtually none. If anyone wanted to take all the time required to sift through my emails or listen to all my conversations or view my browsing habits, be my guest. They won't find anything useful. I'm sure this is the case with 99% of iPhone users. Anybody willing to use things like credit card numbers over celluar data waves is already taking risks and knows what they're getting themselves into (I hope). The worst 'rogue app' coders could do is get passwords to websites, like this one. OMG, somebody's going to come on here and post in my name! The world is over, oh noes! Pfft.
      Wow you're really informed. Just because you have no life doesn't mean you can assume everyone else is like you. People have pictures, passwords, e-mails (which contain private info) which leads to identity theft. You're probably not old enough to realize how much that can cost you for the rest of one's life. There's apps that people use on the phones such as mSecure which stores passwords, credit card info, driver license #'s, etc. You might not find it useful but other people do. So stop making generalizations like if you were some kind of life scientist who knows every statistic about humanity.
    1. awesomeSlayer's Avatar
      awesomeSlayer -
      This guy sounds like a douche b@g. Seriously, why in the he11 would someone create an application just to grab personal info? Stupid spyware creators...
    1. Nehal3m's Avatar
      Nehal3m -
      Oh wow. I guess now we actually have to be on the lookout for downloading suspicious apps. But then, I really doubt it. How much of us here actually uses the App Store these days?
    1. bengo's Avatar
      bengo -
      Quote Originally Posted by Nehal3m View Post
      Oh wow. I guess now we actually have to be on the lookout for downloading suspicious apps. But then, I really doubt it. How much of us here actually uses the App Store these days?
      I'd be more worried about downloading spyware apps off Cydia than AppStore
    1. Nehal3m's Avatar
      Nehal3m -
      Quote Originally Posted by bengo View Post
      I'd be more worried about downloading spyware apps off Cydia than AppStore
      Honestly, I think the only way apps on Cydia are spyware if the developer meant it to be or you just downloaded it from a strange repo.

      But then, I don't download a lot of things off of Cydia anyways.
    1. DoYouLikeLuxury?'s Avatar
      DoYouLikeLuxury? -
      Quote Originally Posted by Sevael View Post
      Besides, how many people actually have useful info on their phones that these questionable app makers would be after? I bet virtually none.
      First off, your phone number. Your family's contact information, your ip address, your gps location.