Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Lawsuit Claims Top iPhone Games Stole User Data

Soulskill posted more than 4 years ago | from the shake-up-and-down-to-send-credit-card-details dept.

Cellphones 149

pdclarry writes "Storm8, a maker of some top iPhone games, allegedly stole users' mobile phone numbers, according to a lawsuit filed on November 4. The suit claims that best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. There have been other reports of applications copying personally identifiable customer information in the past. The complaint seeks class-action status."

cancel ×

149 comments

Big Surprise... (3, Insightful)

Super Dave Osbourne (688888) | more than 4 years ago | (#30023770)

Is it a real surprise that there are iPhone apps out there that snoop, and bypass safeguards. When will encrypted data at the 2048 and higher bit level make it into the tech we take for granted on a daily basis. If you want safeguards, folks need to start using the stuff out on the market that is free to give them some level of protection against theft. Don't lock the door well, expect thieves, don't weatherize in well, expect to get cold. Don't encrypt your data, expect to lose it to theft.

Re:Big Surprise... (5, Insightful)

Quantos (1327889) | more than 4 years ago | (#30023788)

We have to be on guard for this behavior with computers, why are people surprised that it happens with mobile devices? That brings one question to mind though. Do they not verify the applications that are put up on their store?

yeah, right! (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30023944)

To be fair, given apple's reputation of 'protecting' their users by banning apps for all and sundry stupid reasons, it's only fair to lay the blame on the company for failing to protect against this.

You can't have the cake and eat it too.

But of course, if it's apple - apparently they can, at least here on /.

Re:yeah, right! (4, Funny)

E IS mC(Square) (721736) | more than 4 years ago | (#30023964)

Apparently, having the word 'iphone' in the app name is harmful, but allowing some other app to steal user data is okay - as long as it does not have the name 'iphone' in the app name.

But it's apple!! They can't do no wrong!!

Re:yeah, right! (1)

dotgain (630123) | more than 4 years ago | (#30025010)

But it's apple!! They can't do no wrong!!

They're a company, protecting their profits with nary a regard for their customers welfare. They're doing no more wrong than what's expected of any company.

Re:yeah, right! (2, Interesting)

DJRumpy (1345787) | more than 4 years ago | (#30025070)

They never guarantee that they will remove all malware, although they reserve the right to ban any application that is deemed dangerous. Unless they were to visual verify every line of every code of every applications (there are what, over 100,000 apps?) then there is no way they can possibly prevent all malware.

I for one would prefer that they make the attempt, rather than taking the MS approach of relying on heuristics to identify them.

Re:yeah, right! (1)

Turzyx (1462339) | more than 4 years ago | (#30025498)

Unless they were to visual verify every line of every code of every applications (there are what, over 100,000 apps?) then there is no way they can possibly prevent all malware.

And yet, all of those 100,000 apps have gone through Apple's verification and approval process. What exactly is involved in that? I would say checking for malicous activity and programs attempting to gain access to privilaged information would be the bear minimum, surely?

IANAL, but a content provider that facilitates distribution of malware/spyware through its portal must be culpable to some extent?

Re:yeah, right! (3, Informative)

DJRumpy (1345787) | more than 4 years ago | (#30026364)

> IANAL, but a content provider that facilitates distribution of malware/spyware through its portal must be culpable to some extent?

No they aren't. You should know better if you're on this site. That's like saying the internet providers are responsible for all malware.

They check apps for content and for duplicated functionality. They don't do a line by line review of every piece of code, nor do they claim to do so.

Re:yeah, right! (2, Insightful)

Dare nMc (468959) | more than 4 years ago | (#30027526)

I would agree, except apple's setup seams to prevent anyone but apple being able to prevent this. Most other platforms you could install a debugger/logger, but that would be banned on any phone that can access the app store. In a open development environment you could have open source apps that the customers can compile themselves insuring any suspicion can be verified in source as intent, again not option in the apple environment. Apple better have a terms of use for application developer so that these suppliers are are in-deed punishable by apple. Since again, the customer only deals with Apple for the applications, it seams to me, Apple should be the first ones to sue these developers, since they are likely to take the most damage from this.

Re:yeah, right! (2, Insightful)

DJRumpy (1345787) | more than 4 years ago | (#30027760)

No play for play software producer would open the source on their currently selling software. At a minimum, should the charges prove true, I would think Apple will yank the app (potentially all apps from that vendor I would think). This is a pay app, not a free one.

I would also think that legal action, both by individuals, and by Apple is pretty much a given should it prove to be true.

Re:yeah, right! (1)

Turzyx (1462339) | more than 4 years ago | (#30028432)

Sorry, allow me to clarify.

Since it is not possible to buy apps except through the app store, it can be said that Apple is almost the publisher/distributor for these apps.

If I purchased a video game, and it contained malware, then I sure as hell would want the publisher/distributor to take some responsibility for this.

You can't slap your name on a product, sell it, make money from it and take on none of the risk.

Re:yeah, right! (1)

DJRumpy (1345787) | more than 4 years ago | (#30028590)

Again, you're looking to assign blame where none exists. The responsible person is the app developer, not Apple. This same tack was tried with internet providers. If they were opened to legal action due to the malicious intent of others then there would be no internet providers. None would be crazy enough to enter into that legal nightmare. Any digital distribution for online software would be at risk, and would also disappear in short order I would imagine.

It's obvious you dislike the Apple model and it's closed system, but trying to imply responsibility on Apple for another's malice won't fly, just as it doesn't fly trying to hold internet providers responsible for what their users do. If this app is found to be breaking the rules, I have zero doubt it would be removed from the store and probably deleted from any iPhone that uses it. That is all Apple needs to do to secure it's user base. No further action would be required, other than refunding said purchase price, which I'm sure Apple would be suing the creators for recovery costs.

Re:yeah, right! (2, Insightful)

MightyMartian (840721) | more than 4 years ago | (#30028706)

One of the chief rationales constantly given for Apple's labyrinthine and bizarre rules is to protect the "experience". If Apple is allowing malware in their store, then I think they should taken to task for screwing with the "experience".

Re:yeah, right! (1)

DJRumpy (1345787) | more than 4 years ago | (#30028744)

Are you implying that they knowingly 'allowed' a known app that collects personal information into the App store?

Re:yeah, right! (2, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#30025808)

The XNU kernel on the iPhone supports fine-grained profiles for restricting what applications can do. If something is a game, then it needs to access the display, write to the app's directory, and nothing else. This should be enforced by the kernel. Apple has even written a policy for this already, which ships with OS X on the desktop (I've never met anyone who uses it, but it's there). There is no excuse for not using this on the iPhone.

Re:yeah, right! (1)

DJRumpy (1345787) | more than 4 years ago | (#30026420)

I agree wholeheartedly. Any reasonable security measure that doesn't put undue burden on a developer should absolutely be implemented.

I suspect they may have to find a way to enforce use of such profiles at some point if they want to keep things tidy. I'm actually surprised they don't do so already.

I have to wonder if these in-game upgrades go through the same strenuous review process that the initial app does?

Re:Big Surprise... (1, Interesting)

harlows_monkeys (106428) | more than 4 years ago | (#30023858)

You need to think about that some more. Unless the user is required to enter their password every time they access the data (which would get very annoying real fast), there will have to be some kind of key caching, with safeguards to prevent the wrong applications from using it. What's to stop a bad application from bypassing those safeguards?

Re:Big Surprise... (5, Insightful)

E IS mC(Square) (721736) | more than 4 years ago | (#30024010)

>>What's to stop a bad application from bypassing those safeguards?

Whatever happened to Apple's policy of babysitting their users by allowing only certain apps? Wouldn't this application exactly the kind of crap users should be protected against?

It's been claimed on /. by appple apologists that that's the way apple protects its users. But apple is actually doing is protecting its pockets by banning applications which takes business away from them or AT&T - while such apps are in the wild - blessed by Apple.

Re:Big Surprise... (0, Flamebait)

E IS mC(Square) (721736) | more than 4 years ago | (#30024088)

flamebait? Oh man, did I just commit a cardinal sin of blaming apple?

Re:Big Surprise... (2, Insightful)

jo_ham (604554) | more than 4 years ago | (#30024500)

No, you just made a claim about "appple apologists" [sic] that you completely failed to back up. You then threw out your own baseless accusation, again with no citation.

Textbook flamebait.

You can replace "Apple" with "MS" or "Sun" or "Verizon" or "Amazon" or "Google" for exactly the same mod result.

Re:Big Surprise... (0)

Anonymous Coward | more than 4 years ago | (#30024620)

>> You can replace "Apple" with "MS" or "Sun" or "Verizon" or "Amazon" or "Google" for exactly the same mod result.

On slashdot? In your fucking dream.

Re:Big Surprise... (1, Flamebait)

lena_10326 (1100441) | more than 4 years ago | (#30026912)

Textbook flamebait

No offense but.. I think guys like you crying flamebait are big fat pussies. Seriously.

Re:Big Surprise... (1)

jo_ham (604554) | more than 4 years ago | (#30027100)

Hey, I'm just explaining why he got the mod. I'm not judging one way or the other, nor am I the one who modded it that way.

In my experience, "flamebait" typically means "I do not agree, thus I mod you flamebait", but in some cases, it actually does mean what it says, hence: textbook.

Re:Big Surprise... (4, Funny)

CharlyFoxtrot (1607527) | more than 4 years ago | (#30024266)

If you want infallible maybe they should get the pope to do app reviews.

Re:Big Surprise... (0)

Anonymous Coward | more than 4 years ago | (#30024366)

Oh yes. But apple fanbois hammering MS for everything is apparently okay. Pope does not figure in those discussion!?

Apple apologist finally out to defend, eh?

Re:Big Surprise... (3, Insightful)

R3d M3rcury (871886) | more than 4 years ago | (#30024410)

So Apple will try but they may make mistakes. Fair enough.

But if we accept the fact that mistakes will be made, how is this better than either a "Wild West" approach where anyone can publish applications with no review whatsoever or, conversely, a competitive store approach where some stores will be better than others about evaluating what an app does?

Re:Big Surprise... (1)

CharlyFoxtrot (1607527) | more than 4 years ago | (#30024572)

The rationale is that Apple products are strongly associated with the brand and everything that goes wrong will reflect badly on Apple even if the apps are not associated with Apple in any way. Opening up the iPhone to other stores in that line of thinking would increase the risk of damaging the brand by vastly increasing the opportunity for malicious and inappropriate apps. Just read this thread and see how many people are ready to blame Apple because some software publishers are shady assholes.

Personally of course I don't agree with this corporate type logic which is why I jailbreak and unlock my iPhone.

Re:Big Surprise... (2, Insightful)

sjames (1099) | more than 4 years ago | (#30025192)

Apple would receive no blame at all here except that they claim to protect users from this sort of thing. In order to provide this "protection", they make developers of potentially useful apps jump through a series of flaming hoops, yet managed to defeat the entire point by allowing the Storm8 games right in. That is, they endorsed the app by screening it for harmful behavior, pronouncing it good, and then offering it in their app store.

It should be no surprise that if Apple will claim to be providing this protection and then fails to do so, they will catch some heat over it.

If they had left things open and the same thing happened, instead the comments would be a mixture of "that's what happens when you install random binaries you download from the net" and calls for Storm8 to be treated just like a script kiddie would be if caught. Apple would be left out of it because they neither produced nor endorsed the apps.

Storm8 proclaims that the data collection was a bug rather than deliberate. If so, that just makes it worse for Apple's claims that they must screen all apps for their user's own good.

Re:Big Surprise... (2, Insightful)

DavidTC (10147) | more than 4 years ago | (#30028062)

Exactly.

Apple is playing both sides here. Either their app store is safe, or it isn't.

If it isn't safe, 90% of their excuse for not allowing people to download apps from anyone is nonsense.

Re:Big Surprise... (0)

Anonymous Coward | more than 4 years ago | (#30025616)

If you want infallible maybe they should get the pope to do app reviews.

thats a total BS response. NO! Apple wants and has total control of apps. I would think that this kind of breach of trust would have been covered in the Apps store terms of use. If it is not then that's the last app I buy until it is.

Re:Big Surprise... (1)

jcr (53032) | more than 4 years ago | (#30024788)

Wouldn't this application exactly the kind of crap users should be protected against?

Of course it is, and you can bet that Apple's investigating it right now. If it turns out that this vendor is violating the terms of the App store, those apps will be yanked.

-jcr

Re:Big Surprise... (0)

Anonymous Coward | more than 4 years ago | (#30024862)

What would be any apple discussion be without the ever defending jcr?

If Apple is reviewing this now (after the damage is done), what the fuck is their 'application approval' thing is for when applications are 'submitted' for 'review' before they are approved?? Oh, I see. To weed out competitors? But then, you wont agree to that either.

No matter which way, apple is always right. Right, you fucking fanboi?

Re:Big Surprise... (0, Flamebait)

indiechild (541156) | more than 4 years ago | (#30027638)

Mental illness much?

Re:Big Surprise... (2, Insightful)

sjames (1099) | more than 4 years ago | (#30025296)

They've had since at least August 27th to correct their oversight (the date when Storm8's behavior was first documented publicly [sfgate.com] ). Considering that it could be verified by just installing one of the listed games and running tcpdump while registering it, I'd have to say they haven't been at all interested in investigating.

Just to add to it, Storm8 doesn't even deny that the collection happened! They only deny that it is intentional.

Re:Big Surprise... (0)

Anonymous Coward | more than 4 years ago | (#30026674)

If you're just saying random uninformed positive things about Apple in the hope it improves Apple's image and the value of your stock, note that most people on /. laugh at the nonsense you post. Everything you say counts against Apple by reinforcing the stereotype that its adherents are mindless fashionistas with no real enterprise or engineering ability or clout.

Moreover, the fact that Apple offered a job to someone with your critical thinking and analysis skills says more than enough about Apple. If I were you, I'd post all remaining fanboyism as AC.

tl;dr Your wearing the cult uniform reflects badly on the cult.

Re:Big Surprise... (1)

indiechild (541156) | more than 4 years ago | (#30027650)

It's obvious who the mindless, irrational zealot is here, and it certainly isn't jcr...

Re:Big Surprise... (0)

Anonymous Coward | more than 4 years ago | (#30027958)

indiechild - alter ego of jcr.

Re:Big Surprise... (1, Funny)

Anonymous Coward | more than 4 years ago | (#30023978)

Oh the fools! If only they'd built it with 6001 hulls! When will they learn?

Re:Big Surprise... (1)

John Hasler (414242) | more than 4 years ago | (#30024124)

> When will encrypted data at the 2048 and higher bit level make it into the
> tech we take for granted on a daily basis.

When a significant number of customers won't buy "tech" without it. The fact is most people don't care, including most of those who complain about it.

Re:Big Surprise... (2, Insightful)

Antique Geekmeister (740220) | more than 4 years ago | (#30026032)

When will a pony show up and dance the lambada? This has _nothing_ to do with the length of encryption keys, and everything to do with fine-grained data access. Unfortunately, a lot of apps were developed first, and security only thought of later. (Yes, I'm talking about CVS and Subversion and Jabber.) The results are predictable: personal data is not encrypted, and is shared freely to the local filesystem because the developers are not given the time, and the apps are not given the resources, to protect the data more thoroughly.

This data _should not have been accessible_ to unauthorized applications, true. But encryption in limited hardware like an Iphone is painful to provide at all, due to the speed and space limitations. 2048 is hardly necessary: most such data lives in plain-text, because the authors believe that its your operating system's problem, not yours. (Go look at Subversion's storage of plain-text passwords to see where this leads.)

Re:Big Surprise... (5, Insightful)

SleepyHappyDoc (813919) | more than 4 years ago | (#30024322)

Encryption wouldn't help here. The API allows access to all kinds of data on the iPhone, which some apps do legitimately require in order to function (for example, a Google Voice-type app would indeed need the user's phone number). Even if the data was encrypted, the iPhone would happily decrypt it and pass it to the app when given the proper API call. The issue here is enforcement. Developers caught doing this kind of thing should be banned from the App Store, and put on some kind of blacklist at Apple so Apple doesn't do further business with them.

API rules (1)

phorm (591458) | more than 4 years ago | (#30026160)

Well, when I use my "locator" on a 3rd-party apps, then the phone asks me if it's OK the first time around. If it's using an actual API then building a "safelist" and having it ask before sharing other private data shouldn't be so difficult. For a non-jailbroken phone, jailing the apps aware from that private data and requiring the API should make such things pretty hard to get away with.

Re:Big Surprise... (1)

harlows_monkeys (106428) | more than 4 years ago | (#30024836)

You need to think about that some more. Unless the user is required to enter their password every time they access the data (which would get very annoying real fast), there will have to be some kind of key caching, with safeguards to prevent the wrong applications from using it. What's to stop a bad application from bypassing those safeguards?

What you are describing are the kind of measures you take against outside attackers. The problem here is that the attacker is an invited guest. Locked doors don't do much against people you've invited in.

Re:Big Surprise... (1)

Runaway1956 (1322357) | more than 4 years ago | (#30025634)

How will encryption help, when the application that you've been duped into installing is DOING THE SNOOPING?!?!

Re:Big Surprise... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30025672)

Data encryption is just not practical within US boarders, our government is just too paranoid and nosy. Law enforcement will demand backdoors be required (such as CALEA, the Communications Assistance for Law Enforcement Act), and if there are backdoors built in for them to use then hackers and unscrupulous businesses will use them too.

Also no device using encryption can ever be offered for export, ITAR (International Traffic in Arms Regulations) forbids it, attempting to leave the USA with an iphone with encrypted data on it is exactly the same as attempting to smuggle out a nuclear weapon (in the eyes of the law anyway).

The only way to stop these scumbag businesses from snooping is to have actual consequences for getting caught. I'm not talking about a slap on the wrist and a little fine either, I'm talking about long prison sentences for company executives. Only once there are actual consequences with this activity stop.

Remember, if YOU were caught doing this then you would be sitting in lockup (with no bail) right now awaiting trial on multiple criminal felonies.

App Testing (0)

Anonymous Coward | more than 4 years ago | (#30023774)

Then what kind of app DOES Apple reject?

Re:App Testing (0)

Anonymous Coward | more than 4 years ago | (#30023802)

The kind that might hurt their ability to extract money from you.

Re:App Testing (5, Informative)

Jackie_Chan_Fan (730745) | more than 4 years ago | (#30024164)

skype, opera, flash, and c64 emulators

Re:App Testing (1)

GameboyRMH (1153867) | more than 4 years ago | (#30026224)

...and anything with naughty words in it, like dictionaries and lyrics apps.

Re:App Testing (1)

socsoc (1116769) | more than 4 years ago | (#30027706)

Or other naughty words, like iPhone

Clearly an inside job. (4, Funny)

Reeses (5069) | more than 4 years ago | (#30023782)

As strict as the Apple store is about getting actual useful apps in, and screening all kinds of apps based on one or two system calls, clearly the only way this could have happened is if Storm8 has someone on the Apple App Approval Team who they know. Otherwise, how would something like this have gotten past such a stringent code review?

Re:Clearly an inside job. (2, Interesting)

Super Dave Osbourne (688888) | more than 4 years ago | (#30023860)

That is of course assuming Apple has a tough scrutiny that is uniform across all apps and all its screeners. I often get the impression that with 1000s of crap apps submitted, and 1000s of crap apps approved, with 1000s of good apps rejected, and even more 1000s of crap apps rejected there is no rhyme or reason to the insanity that still is the approval process at AppStore. To summarize, they do what is necessary to keep it afloat, and no more. Others take advantage of it, and thinking there is some conspiracy at AppStore is as valid in my mind as the argument that this Storm8 upload of PNUM was a mistake/error. Just don't buy it.

Re:Clearly an inside job. (1)

tonycheese (921278) | more than 4 years ago | (#30023970)

(Psst... it was a joke. Nice uid, though.)

Re:Clearly an inside job. (1)

Super Dave Osbourne (688888) | more than 4 years ago | (#30024018)

Pretty good one too, just got it. I'm a bit slow today (usually most days) without coffee. Note to self, don't post emotion, post logic, with cream.

Re:Clearly an inside job. (5, Insightful)

SchroedingersCat (583063) | more than 4 years ago | (#30023904)

They don't have access to the code. Besides, reviewing the code requires non-trivial technical skills. They are checking that apps conform to certain standards. If somebody really wants to plant backdoor into their app then nothing can realy stop them. There must be an explanation for 10000 fart apps in the store. Perhaps some of them have VOIP client built in...

Re:Clearly an inside job. (1, Funny)

Anonymous Coward | more than 4 years ago | (#30024650)

They don't have access to the code. Besides, reviewing the code requires non-trivial technical skills.

Technical skills. Exactly the sort of thing Mac users don't have.

"Of the 235 million people in America, only a fraction can use a computer... Introducing Macintosh. For the rest of us." -- Apple Inc.

Re:Clearly an inside job. (2, Informative)

chocomilko (1544541) | more than 4 years ago | (#30024040)

Apple acknowledges the fact that developers might insert hidden content into their app to skirt the review process. They do warn, however, that they will eventually find out and yank your app -- which is what has happened here.

Unfortunately, app reviewers literally just install your app on a bunch of devices and tap around the screen to make sure nothing breaks, so any sort of hidden functionality will likely make it past the initial screening.

For the record... my app, Touch Health [milktouch.ca] , will not steal your phone number.

Re:Clearly an inside job. (1)

socsoc (1116769) | more than 4 years ago | (#30027802)

Thanks, I was worried that an obscure health app would do that. I now know that this isn't merely an attempt for you to get more hits, I was seriously worried that an app with a single review was busy stealing my data.

I've looked over your bullet points, still wondering where it becomes useful, you really expect emergency personnel to launch your app and find the "emergency contact" ? This is great. Maybe next you can add a method for me to identify myself when my wallet isn't sufficient, wait you already did that...

Re:Clearly an inside job. (2, Interesting)

DavidTC (10147) | more than 4 years ago | (#30028174)

That is possibly the stupidest review process I've ever heard of.

Surely Apple has some sort of iPhone emulator they can install on and see what files it accesses.

Hell, in this case, your phone number is being transmitted in cleartext, which should have been noticed via a sniffing.

Obviously, nothing could even entirely be 100% sure, (See: Halting problem), but it could be made damn hard for apps to do that sort of stuff.

At this point, it's looking like Apple's entire 'review' process is solely to keep competitors out. Yes, yes, I've always heard people say that, but I actually believe they were at least also keeping malicious software out.

Not so secret .. (5, Informative)

Anonymous Coward | more than 4 years ago | (#30023810)

Getting access to a user's phone number doesn't require a 'secret' code. Any app can do that.

http://blog.timeister.com/2009/06/25/objective-c-get-iphone-number/

well well well (0)

Anonymous Coward | more than 4 years ago | (#30024014)

there was me thinking that apple were just a very well marketed firm, one that makes money from sad people who need to express themselves with shiny lifestyle choices.

who'd have thought that they allow this kind of sinister thing to happen!!!!! can they be trusted with your data at all?

maybe this is why the business crowd won't go near the iphone, apart from the battery life, the dropped calls etc.

Re:well well well (1)

sogoodsofarsowhat (662830) | more than 4 years ago | (#30025434)

Please reply with you address..... I am going FEDEX you a clue!

What Safeguards? (5, Informative)

hdurdle (199425) | more than 4 years ago | (#30024070)

How is using standard, documented, code bypassing safeguards?

NSString *telnum = [[NSUserDefaults standardUserDefaults] stringForKey:@"SBFormattedPhoneNumber"];

On most devices - at least those that were activated via iTunes - that will return the phone number. Or null if you're on an iPod Touch.

Okay, so the developer shouldn't have been harvesting this data, and definitely not without protecting it, but I fail to see how this was bypassing safeguards!

Re:What Safeguards? (5, Informative)

RobTerrell (139316) | more than 4 years ago | (#30024334)

Mod parent up. There's no safeguards. The Cocoa Touch SDK doesn't protect the user's phone number or name. Even the contents of the entire address book are accessed without safeguards. I was amazed to learn that I have to give an app permission to get my location, but meanwhile apps could pull every email address from Contacts and post them to a web server somewhere without my ever knowing.

Re:What Safeguards? (0)

Anonymous Coward | more than 4 years ago | (#30024528)

If this is true for the iPhone then I'm going to be seriously pissed off. So pissed off I'll shove the thing down the throat and out the other end of the incompetent moron who sold it me, telling me that it was secure. I am seriously done with Apple products now.

Re:What Safeguards? (0)

Anonymous Coward | more than 4 years ago | (#30024618)

Haha, very funny, but we all know your mom wouldn't let you have an iPhone.

Re:What Safeguards? (1)

BikeHelmet (1437881) | more than 4 years ago | (#30025682)

So basically, it was designed with the same philosophy as Windows?

I can predict how this is going to end!

Re:What Safeguards? (4, Interesting)

IamTheRealMike (537420) | more than 4 years ago | (#30026038)

What? Seriously? Why does this never come up in iPhone vs Android reviews? The Android security system isn't perfect, but it does at least tell you what an app will be able to do ahead of time. If I install a game and it wants to read my address book, I think twice.

Re:What Safeguards? (1)

TheRaven64 (641858) | more than 4 years ago | (#30025852)

Wow, not only is the security bad, that's a really horrible way of storing data. If every app can see it like that then it must be stored in NSGlobalDomain, rather than in the address book's user defaults, and it's stored in a completely unstructured manner. I thought it was impossible to do this in a worse way than the AddressBook framework on OS X (thankfully largely obsoleted now by sync services), but apparently Apple succeeded.

approval process a joke. (0)

Anonymous Coward | more than 4 years ago | (#30024126)

google was able to push private api's in the google iphone app.

other apps were able to by pass the no streaming over 3g by putting a unseen area to touch to enable 3g streaming.

the only thing the approval process does it what apple wants in terms of type of app on its phone.

No private API's in Google app. (1)

SuperKendall (25149) | more than 4 years ago | (#30025048)

google was able to push private api's in the google iphone app.

This is false, it was found to simply be a notification they listed to, not an unpublished call they made. When the system calls you, that is not misuse of a private API.

There have been other groups that have snuck use of a few marginal API calls past app testers, but they are cracking down. And as other people noted, you can use the public API's just fine to get at the phone number.

note to Apple (4, Interesting)

N!NJA (1437175) | more than 4 years ago | (#30024130)

mass-adoption is a security liability. it must be feared as much as holes and bugs in software. how does it feel to be in Microsoft's shoes? go ahead, fanbois. mod me down.

Re:note to Apple (1)

gravos (912628) | more than 4 years ago | (#30024656)

Truer words are rarely spoken.

Re:note to Apple (0)

Anonymous Coward | more than 4 years ago | (#30025362)

Truer words are rarely spoken.

Especially by aggressively in-your-face tolls.

Re:note to Apple (0)

Anonymous Coward | more than 4 years ago | (#30024658)

And security through obscurity is no security at all.

Re:note to Apple (3, Insightful)

140Mandak262Jamuna (970587) | more than 4 years ago | (#30025546)

mass-adoption is a security liability. it must be feared as much as holes and bugs in software. how does it feel to be in Microsoft's shoes? go ahead, fanbois. mod me down.

Oh, really? Take a look at the market share of Apache webserver. [netcraft.com] Now which is more secure? IIS or Apache? They are plump target for every organized crime outfits in the world. They host banks and brokerage accounts that transact trillions of dollars day in day out. And the organized crime outfits don't limit themselves to simple hacker techniques. They would not mind murder and kidnapping and bribing to get passwords or breaking and entering to install key loggers. In that market place Apache shines and IIS lags.

Mass adoption alone is not a security liability. Mass adoption of closed proprietary protocols, be it Apple, be it Microsoft, be it Diebold, is a security liability. The reason is the main interest of Apples and Microsofts and Diebolds is to sell more of their product. Not security of user data. It is important only as much as it affects sales. If there are other factors that influence sales they will be the preoccupation of these companies, not security of user data.

Re:note to Apple (1)

garote (682822) | more than 4 years ago | (#30025804)

Ok, if you insist. ...

Seriously, you make a good point, but you've deliberately tarnished it by expressing a smarmy - some would call it unnatural - preference for attention from "fanbois".

Why do you seek them out?

After all, this is the domain of the big players (1)

deodiaus2 (980169) | more than 4 years ago | (#30024138)

Isn't it that it is all right for your carrier (ATT & Verizon) to sell your phone records (Amdocs) to anyone who has a couple of bucks? How dare these little players get into this game. Next thing you know is that customers might start thinking that their financial records are their alone and not the property of their financial institutes. I keep reading more and more about how the 4th Amendment does not apply to records stored on servers, only to records that are physically located in your house. Next thing you know, attorney client privileges will be the property of the attorney who will charge you even more if he has something really incriminating.

Look for a lawyer... (1)

NotQuiteReal (608241) | more than 4 years ago | (#30024318)

The complaint seeks class-action status

Even if the "class", um, "wins", it would be something like this; Lawyer gets well paid for all the hard work to bring justice to the world.

iPhone users get a coupon for a free iPhone download or two.

Re:Look for a lawyer... (1)

T Murphy (1054674) | more than 4 years ago | (#30024744)

...and app makers have to think harder about their bottom line when collecting user data and not being upfront about it.

This is isn't new (2, Informative)

Anonymous Coward | more than 4 years ago | (#30024370)

You can get device id (often the number) on games/apps from a variety of carriers. We're contractually bound only to use it for reporting back to them. Esp for subscription games. There's that line about sharing info with our partners in nearly every privacy clause, basically we use it to track you but not to market to you.

And yes I've worked in the industry for a while.

Apple's "Security" Focus (or lack their of) (4, Interesting)

thesandbender (911391) | more than 4 years ago | (#30024408)

As a recent convert to Apple (short story OS X is a nice balance between Unix and applications I need to use for my client base) I was a little shocked by how nonchalant Apple seems to take user security.

1. MacBook's default to no user authentication which is unacceptable for a portable device that can be stolen or misplaced.
2. The OS X Firewall is disabled by default. Let's assume every OS X component is 100% secure, there's no way that every OS X app is.
3. And as a completely random example... AppleTV only supports WEP. I know this is a nit-picky thing but it shows Apple's indifference. WEP has been thoroughly and completely broken... yet one of Apple's primary devices will not support a more secure protocol. You want to use your new toy you have to downgrade your security.

I like OS X and the new unibody MacBooks just rock... but Apple's shwarmy and basically indifferent attitude to security is going to end up biting them in the arse.
/I've strapped on my fire-proof britches... fire away :)

Re:Apple's "Security" Focus (or lack their of) (4, Informative)

kegger64 (653899) | more than 4 years ago | (#30024560)

Not a flame, just a correction... the AppleTV supports WPA encription as well as WEP, and has for years. See http://www.engadget.com/2007/04/05/apple-tv-review/ [engadget.com] .

Re:Apple's "Security" Focus (or lack their of) (1)

thesandbender (911391) | more than 4 years ago | (#30024948)

Hmm... I tried it on two different networks and it would not recognize either. One was a Belkin and the other was a Linksys WRT54GL running OpenWRT. Both were broadcasting their ESSID and neither were MAC-filtering. The AppleTV was running the lastest firmware. The only difference I see from your link was that both were running WPA/WPA2 and not just bog standard WPA (though that's what they may have meant). T

Re:Apple's "Security" Focus (or lack their of) (2, Interesting)

jo_ham (604554) | more than 4 years ago | (#30024644)

1. If your Macbook is stolen, your data is compromised whether you have user auth on or not, since with an OS X install disk you can reset the admin password. Alternatively they can just boot it in firewire mode and mount the disk on another machine and take your data that way (or physically remove the HD). Unless you specifically set your keychain password to something other than your admin password this also means any password you store in there is compromised too. Are you suggesting that Macbooks ship with Filevault turned on? I would suggest that when you start a new user profile that it recommends that your keychain master password is different from your login password, but this is going to get in the way of a smooth user experience (which is a crummy reason to reduce security, but there is a balance between security and convenience that we all have to decide on) - by default the Mac is pretty open, but you can chose to enable the firewall, create different passwords for your keychain, run as a non-admin user etc etc as you see fit.

2. Yes, it should be on by default. I have no idea why it isn't.

3. The Apple TV is a bit of a special case - it should be updated to newer wireless standards, but I assume there is a technical reason why this is not so at the moment. Everything else on current Mac hardware on the wireless front (ie, anything that is g or better) supports at least WPA or WPA2 as well as the more esoteric WPA2 enterprise protocols as well as the less secure WEP stuff for compatibility. If you have an Apple TV on your network, you either need to drop to WEP or hook it up over ethernet - a problem that does need to be addressed.

Re:Apple's "Security" Focus (or lack their of) (0)

Anonymous Coward | more than 4 years ago | (#30024808)

1. If your Macbook is stolen, your data is compromised whether you have user auth on or not, since with an OS X install disk you can reset the admin password. Alternatively they can just boot it in firewire mode and mount the disk on another machine and take your data that way ...SNIP

unless you lock down your firmware that is.

Re:Apple's "Security" Focus (or lack their of) (1)

thesandbender (911391) | more than 4 years ago | (#30024874)

My point was the *default* protection. Not sure if you mean a BIOS/Firmware password or physically securing your laptop but neither are "default" or even openly recommend by Apple.

Re:Apple's "Security" Focus (or lack their of) (1)

jo_ham (604554) | more than 4 years ago | (#30024904)

...which is covered by "physically remove your hard drive" which I wrote literally right after that, but you chose to only partially quote my sentence and leave out that bit. Did you stop reading, or just chose to selectively quote? You can't be karma whoring since you are AC.

Re:Apple's "Security" Focus (or lack their of) (1)

thesandbender (911391) | more than 4 years ago | (#30024982)

Sorry... distracted by the getting AppleTV to work with WPA post. I actually had a few OSX fanatics tell me it couldn't be done (and experience backed this up). So... short answer... no I didn't read your entire post. Sorry. T

Re:Apple's "Security" Focus (or lack their of) (1)

windwalkr (883202) | more than 4 years ago | (#30027354)

Unless you specifically set your keychain password to something other than your admin password this also means any password you store in there is compromised too.

This doesn't sound correct. As far as I'm aware, overriding the admin password will not grant access to keychain?

Re:Apple's "Security" Focus (or lack their of) (0)

Anonymous Coward | more than 4 years ago | (#30027436)

You are correct. Overriding the admin password will not change the keychain password, and the keychain will remain inaccessible to anyone who didn't have the original admin password.

Which of these are valid... (3, Informative)

SuperKendall (25149) | more than 4 years ago | (#30025036)

MacBook's default to no user authentication which is unacceptable for a portable device that can be stolen or misplaced.

Are you sure about that? Every new Mac I've seen, you have to set up a user account (with password) first. Are you talking about how there is a setting to log you in automatically on restart?

The OS X Firewall is disabled by default. Let's assume every OS X component is 100% secure, there's no way that every OS X app is.

This makes no sense. No ports are open by default, so just what would the firewall be, well, firewalling? With no ports open by default it's pretty much pointless to target any of the services since so few of them are likley to be turned on across the population. That's actually the real reason we've seen no viruses on OS X, because there's no target vector wide enough to be worth the trouble - thus all attacks are trojan style.

If a particular app has a flaw how does a firewall help, if that app choses to listen on a port? Wouldn't it have to do that around the firewall anyway?

And as a completely random example... AppleTV only supports WEP

As stated by other posters, this is not correct.

I like OS X and the new unibody MacBooks just rock... but Apple's shwarmy and basically indifferent attitude to security

I disagree here, I think Apple has been very security conscious in the ways that actually matter most to users.

Re:Which of these are valid... (0)

Anonymous Coward | more than 4 years ago | (#30026052)

So, basically, what you are saying is you are another fanboi who can't tire of sucking Steve Jobs' dick. Well, we already know that!

Re:Apple's "Security" Focus (or lack their of) (2, Informative)

cbreak (1575875) | more than 4 years ago | (#30026676)

For 1: User authentication does not help against data loss due to stolen or lost hardware. Local access means root access, unless encryption is used. And Apple can't turn on FileVault by default since users that aren't careful (master password, write their password down and store it in a safe) would just forget their passwords and lose access to their data permanently.
For 2: The purpose of a firewall is to filter traffic to open ports. Mac OS X has no open ports by default. Any services the user chooses to run have to get a hole in the firewall anyway to work. So how exactly would turning the firewall on by default help the security against intrusion?

Privacy applications are available.... (5, Interesting)

westyvw (653833) | more than 4 years ago | (#30024536)

If your phone is jailbroken. I do not know if it protects the user form this company, but it does block information that other companies have been known to try and get. Yet Apple is still trying to convince users that the App store is the only safe place for software.

Hope Apple is named in the suit as well (0, Troll)

xednieht (1117791) | more than 4 years ago | (#30024756)

Their app review process and tight control over the apps (both the epitome of stupidity IMO) make them a prime candidate to be named as defendant. Have not RTFA but hope they get the sued and lose big time for their arrogance. Fuck Steve Jobs.

mod uP (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#30026418)

a dead man walking. coomitterbase and

Slashdot stole my IP! (0)

Anonymous Coward | more than 4 years ago | (#30026498)

Oh noes! My IP address is on the internets! Slashdot must have stoles it! Money please... I mean... lawsuit! Lawsuit!

Purchasing an application on a *mobile phone* - and then complaining that the purchaser knows who you are is, quite frankly, brutally retarded.

SFGate are hypocrites.. (0)

Anonymous Coward | more than 4 years ago | (#30026608)

That idiot who wrote the SFGate article is a shit-eating hypocrite.

Because in order to comment on his site, you have to register. To register you have to provide an email address, zip code, age and gender.

THERE IS NO REASON TO REQUIRE ALL THAT INFORMATION.

Re:SFGate are hypocrites.. (0)

Anonymous Coward | more than 4 years ago | (#30027174)

It probably kept you from commenting there, right?

THERE IS YOUR REASON.

The number of ridiculous, drooling Mac-hating retards on this site rivals that of Youtube. It's impressive.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...