Smartphone Security Revisited

20 11 2011

by Shanief Webb

In my previous blog post[1] I introduced the threat of mobile applications stealing personal user data from smart phones that they are installed on. However, at that time, I only focused on the Android mobile Operating System. Now, I’d like to focus on a similar situation but with mobile applications on Apple’s iOS.

TG Daily[2] reported today that Charlie Miller released submitted a malicious app to Apple’s app store. Unlike with the Android Market, Apple actually has someone review each app before it is allowed to enter the App Store. Although Apple has already removed the app from the App Store, we wonder how can a malicious app get through the cracks?

For Charlie Miller’s malicious app, it probably wasn’t human error that allowed his app entry into the app market, but instead “good” design. Apparently, Chris made an app that appeared to be doing something useful such that it would not have raised any eyebrows. Specifically the app appeared to be an app that monitored the stock market, but secretly was making the device(s) it was installed remote-controllable. Miller’s application was similar to the Android app I worked on in the Spring 2011 (noted in my previous blog post) and I should note that TG Daily claims that Miller published his app for experimental reasons (not to be truly malicious).

There have been several malicious apps similar to this have been released in Google’s Android market and for that reason I am surprised that Apple was not aware and cautious enough of these kinds of apps to train their reviewers to look for possible malicious behavior in the background activity of the applications. Furthermore, on average Apple takes about a month before they give an approval/disproval decision on an app’s entry to the App Store so, I doubt that Apple was simply hurrying to get the app out of the approval process.

In Apple’s App Store Review Guidelines[3], a “living” document, Apple describes some scenarios of what can cause an app to fail the review process. There are a few relevant scenarios that apply to Chris Miller’s app:

  • “Apps that do not perform as advertised by the developer will be rejected”
  • “Apps that include undocumented or hidden features inconsistent with the description of the app will be rejected”
  • “Apps that read or write data outside its designated container area will be rejected”
  • “Apps must comply with all legal requirements in any location where they are made available to 
users. It is the developer’s obligation to understand and conform to all local laws”

(Apple App Store Review Guidelines)

The last bullet encouraged me to look into Apple’s Privacy[4] policy to see what Apple guarantees their customers in terms of personal information on their mobile devices. I found that personal information shared on some Apple products is “visible to other users and can be read, collected, or used by them“ (Apple Privacy Policy) and that Apple expects users to be cautious of the information they share. In other words, Apple doesn’t provide much protection for their customer’s information and holds their customers liable for any theft or misuse of their personal information. Similarly Google’s Privacy Policy[5] for mobile devices has a conceptually identical clause “If you decide to use third party applications on your device, any information those applications collect may be sent to third parties and the Google privacy policies do not apply. “ (Google Mobile Privacy Policy)

Personally, I do not like the fact that Apple and Google hold their customers liable for their personal information on their mobile devices, but at the same time I respect their stance because they also open their app markets up to third-party developers and are not fully aware of all the damage malicious developers could potentially cause.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: