Experts Not Surprised By iPhone Malicious App Report

04.12.2009
Malicious iPhone apps that Apple unwittingly approves could , according to a developer, but security experts say this isn't earth-shattering news.

"If you understand the way the security of the iPhone works, I don't think this is a surprise," said Charlie Miller, an analyst at Independent Security Evaluators who in July that could let hackers take over the phone.

Nicholas Seriot, a Swiss iPhone developer, described (PDF) called SpyPhone, capable of digging up and altering contacts, finding past Web searches, storing GPS and Wi-Fi locations and copying everything you've ever typed on the phone except for passwords. (No, you can't download it from the App Store.)

The data Seriot describes isn't a direct threat to your passwords or e-mails, but it could be of interest to marketers, spammers, thieves, competitors and law enforcement officials, he says.

Obviously, Apple would never intentionally allow such an application into its App Store--Apple it rejects 10 percent of submissions for being "inappropriate," in some cases because they try to steal personal data--except Seriot says it's possible to trick App Store reviewers. This could be accomplished by delaying spyware activation, encrypting payloads or changing things around at runtime, Seriot claims.

Dino Dai Zovi, a security researcher and author of "The Mac Hacker's Handbook," said in an interview that the concerns Seriot raised are valid. Apple's reviewers can easily root out applications that, say, read an address book and send the contents to spammers. But it's harder to detect an application whose methods are less direct, for example by executing a script from a Web server after download. Also, App Store reviewers are only human, and they're under pressure to approve more apps than any other platform.