According to research from security expert and software engineer Nicolas Seriot – a man you can read about here – iPhone privacy may not be all that it’s cracked up to be. Speaking at the Black Hat Conference, which focuses on technical security, in Washington DC this week, Seriot made a number of claims.
According to reports this morning, the Lausanne-based engineer, said that Apple’s sandboxing technology restricts iPhone applications to operating system resources with a list of deny/allow rules at the kernel level, but these and other permissions are “way too loose,” and “Apple should not claim that an application cannot access data from another application,” said Seriot, who also works as an iPhone programming trainer at a company called Sen:te.
The PCWorld report went on to note that Seriot claimed a number of iPhone apps, including one called Aurora Feint and another called mogoRoad, that made it into Apple’s App Store before being de-listed for privacy violations involving the harvesting of iPhone users’ contacts, e-mails and phone numbers. Apple reviewers can be fooled, and the likelihood of this continuing to occur appears high, especially as the iPhone, now at about 34 million devices in the market, becomes an increasingly appealing target for hackers, he was quoted as saying.
Seriot is examining these kinds of issues for some Swiss financial institutions that want to know about iPhone security and privacy. About 8% of iPhones today are believed to be “jailbroken,” meaning the user has effectively disabled controls in order to run whatever software he wants, not just what’s available in the App Store, and malware aimed at them is starting to grow.
Separate from the jailbroken issue, Seriot has found in his own investigation that sensitive personal data can be picked up just building an application using the known iPhone APIs. Seriot said he thinks Apple should build something akin to an application firewall for the iPhone so that the user can be informed when certain actions start to occur so he can prevent them from happening, such as an app trying to edit the address book.