Backdoor in top iPhone games stole user data, suit claims A maker of some of the most popular games for the iPhone has been surreptitiously collecting users' cell numbers without their permission, according to a federal lawsuit filed Wednesday. The complaint claims best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the …
Quote of the year?
Yeah that bug, y'know that one that causes the users phone number to be accessed via a known vulnerability and then put into a variable named "pnum" and sent across to the Studios servers in a HTTP GET request in the URL that is generated buy the game when looking at your scores?
Yes...that bug.
Huummm... As a 30 year old shouldn't really admit to playing games all day, but.... iMobsters is a quality, real time game which is highly addictive, but get this.... It's FREE.
If they want my number they can have it, maybe they shouldv'e asked, but I've been playing for a while and never had on strange tele-marketing call once.
Ever get the thought "Oh, I'm American, I'll sue!" springing to mind?!
Not that I know any specifics, but it seems to me that Apple is refusing some apps and approving others. Storm8 is obviously scum, but I wonder if Apple is not going to be tainted by this scandal since only Apple-approved apps are available on the Iphone-store-thingy.
If I've understood the situation correctly, that is.
Yes, it's a bug that not only does the code gather the number, but that it successfully transmits it, and that there is a server sitting somewhere ready to receive it.
I don't think so!
And this leads to the question - just what do Apple do when they check and APPROVE applications for the App Store.
Blimey! A bug that accidentally collects phone numbers and transmits them over-air to who-knows-where makes your average IE javascript buffer overflow vulnerability look distinctly boring.
With a good collection of bugs like that, you could accidentally write all sorts of useful stuff.
Agree completely. The posts on this article amaze me, such as "If they want my number they can have it, maybe they shouldv'e asked"... Maybe? what the hell has maybe got to do with it? They are legally obliged to ask, and to not be considered as greyware they have to make it pretty damn clear too.
Some people deserve to have their data stolen, I think the applicable governments/dictators should step in and remove devices that that are capable of internetworking from anyone retarded. That would solve so many things...
Presumably it falls on its ass whenever run on an iPod Touch then?
Utter utter fail - there is never a need to request phone number for an application. Or at the very least, Apple firmware should ask your permission first. Christ it asks permission for an app to use location data. "Phone number" comes way higher on the list i don't want random developers to know than "where am I". My location is transient, my phone number generally isn't.
I'm directing this fail to Apple more than Storm8.
Do you guys think Apple has the time to check the source code of every app submitted? Hello, they get something like 8,000 app submissions per week. You could reasonably expect them to do some testing to check that it doesn't easily crash, or that it conforms to the Apple UI guidelines but do you really expect them to check for dodgy activity like this? Let's be realistic. Even if they *did* review source line-by-line you know that most coders could easily obfuscate the dodgy code making it hard to detect.
Oh and as for the issue of the app "finding out" your phone number, pretty much every phone API has a means of doing this. There are plenty of perfectly legitimate reasons an app might need to know your number.
Its happened before. Some app gets approved because someone at Apple looking at the code for specific things, and looking at the operation of the game for specific things, did not find this code segment (out of probably tens of thousands of lines). As soon as it comes to light, Apple immediately pulls the app back in for a more thorough review, and then upon finding the bad code, pulls the app immediately.
Here's something else I've always wondered... Now that there's in-store purchase, and with apple getting 30% off the top opn apps, why are free apps allowed to have external purchase mechanisms for content like these at all anymore? Why has Apple not changed its policy to move the app from the free store to the pay store section indicating the app can cost money to play and forced the devs to use the in-app pay system (or at least start enforing all NEW apps to do this). Storm8's apps seem to bypass apple's ability to profit from their distribution. Maybe this will get that policy changed for the future too.
This post has been deleted by its author
It's more fundamental than this. Why is the Apple SDK allowing access to personal details without explicitly requesting permission? (See the Location APIs - all require user approval at the start of the session)
Come to think of it, why isn't there an option to do settings/permissions per application for stickiness?
I fail to see why you think this is a specific Apple OS problem.
This is what should be a legitimate app doing something that it doesn't advertise. As far as I know pretty much any OS is subject to the same problem and unless you have access to (and are prepared to scrutinise) the source code for every application you run on everything then you're at risk.
The only way to be reasonably sure is to assemble everything yourself, starting with the raw materials for the hardware (no, you can't buy disks, memory, motherboards, BIOS or CPU from anyone) and end up with creation of the OS, your own development tools and applications from scratch (no third-party assemblers or compilers, please).
Good luck with getting onto the internet before you die of old age. Actually, good luck in getting anything even vaguely useful going before you die of old age.
Oh, you might need some money too. Wafer fabrication plants can be quite expensive.
Meanwhile, back in the real world...
Yet again someone tries to turn a reg comments page into a Microsoft vs Apple vs Linux "debate". I'm pretty sure these "Mac fanboys" are referring to the security in Apple's desktop OS product and not the iPhone. I wonder how many Windows Mobile apps have sneaky malware functions built in?
Agreed, having a prompt to access private data would be a good idea, especially if that could be stored as a preference. (I hate being prompted over and over about allowing access to my location) Trouble is, most people are dumb enough to just give away access without a second thought. How many people let a Facebook app have their private info with no thought whatsoever about the potential implications?
As with all security measures it's a trade off between usability and security. Apple have to decide whether potentially annoying millions of users is worth reducing the harm from a handful of rogue apps.
"Yet again someone tries to turn a reg comments page into a Microsoft vs Apple vs Linux "debate". I'm pretty sure these "Mac fanboys" are referring to the security in Apple's desktop OS product and not the iPhone. I wonder how many Windows Mobile apps have sneaky malware functions built in?"
Firstly, how about some evidence here. I've noticed it is a common tactic of Mac fanbois (including those very irritating adverts that lie about PCs) to spread FUD about Windows without any supporting evidence.
Secondly, I hope you have been reading the news recently. My Windows PC has never deleted the entire contents of my home directory by mistake, but Snow Leopard has. At the pwn to own competitions every year, it is interesting how Macs are always the first machine to be pwned. It is more interesting how Mac fanbois blame third party apps every time (in the same way that they are trying to blame 3rd party apps for this). The vast majority of exploits on any platform are the result of an insecurity in a 3rd party app. This is why Microsoft (and a lot of Linux people) have spent a lot of time trying to improve the interactions between apps and the OS to make this type of insecurity harder to exploit, and why therefore at present it is far harder to pwn a PC than a Mac.
Go ahead and worship at the altar of the Church of Jobs if you want. Also feel free to evangelise about it all you like. But don't be under any impression that people in the real world don't know it is nothing more than a religion, certainly nothing scientific, that you are preaching.
iPwn.
"It's more fundamental than this. Why is the Apple SDK allowing access to personal details without explicitly requesting permission? (See the Location APIs - all require user approval at the start of the session)
Come to think of it, why isn't there an option to do settings/permissions per application for stickiness?"
Ummm try looking at the SDK, there IS no way to access personal details, it's using a private API which App Developers are 'supposed' to not be allowed to use. Of course they can access it because at the end of the day the API has to be there for official apps to use it.
If you put a dialog in the private API for accessing the number then you'd end up getting that warning when you tried to send an SMS or make a phone call.
"Ummm try looking at the SDK, there IS no way to access personal details, it's using a private API which App Developers are 'supposed' to not be allowed to use. Of course they can access it because at the end of the day the API has to be there for official apps to use it.
If you put a dialog in the private API for accessing the number then you'd end up getting that warning when you tried to send an SMS or make a phone call."
Wouldn't screening code for these "private" API calls be step #1 in the approval process?
Hm... I wonder if you're aware of the BlackBerry OS security model. I don't get any "security dialog" when I send an SMS or make a call, but I do get 'em when *any* app tries to do these things, unless I've explicitly granted permissions on that app.
In fact, I installed the Google Mobile App about 2 days ago, and it caused a security dialog to tell me that Google Mobile app was trying to access the phone data. This is SOP for *all* apps other than the stock BlackBerryOS apps... why can't Apple manage this?
It does show, however, that the iPhone locked-down environment isn't done for *security* reasons, otherwise something like this would be impossible to pull off. I would definitely say "no" if some game started to ask me for phone data access.
The decision to create a "class" action out of a lawsuit has nothing to do with allowing others to join in the lawsuit ... they can do that, anyway, by joining as plaintiffs or by suing individually, or in groups of plaintiffs. "Class" action status is granted to make things easier for judges and is WAAAAY more favorable to the company being sued.
The decision to make a generic lawsuit into a "class" action is all about two things: (1) Increasing what otherwise would be a puny set of damages, by claiming that a whole "class" of people has been affected, and not just the few actual plaintiffs for whom actual damages would be paltry, and (2) thus allowing the actual plaintiffs to petition for and then collect many more times the actual damages they suffered, should the lawsuit be settled in their favor. This ALWAYS ends up being FAR less than a violating company would have been forced to pay if everyone who had a viable lawsuit for the same thing won or settled their cases separately.
For example, if a single person wanted to sue Storm8 for this, what are their actual damages? Maybe the costs incurred from getting a new phone number, if that. If that person and their lawyers can convince a judge that the suit is deserving of "class" action status because lots of people were "probably" affected, then those damages just got multiplied by the number of individuals estimated to be in the "class", and now we're talking some real money.
At the end of a "class" action lawsuit, assuming it settles in favor of the plaintiffs, the lawyers get the biggest chunk of money, often in the several millions of dollars, the original plaintiffs get the next biggest chunk of money, frequently in the tens of thousands of dollars, and the rest of the "class" members get squat. Usually literally.
I refer you to the recently-settled "class" action lawsuit regarding Yahoo's policies with respect to all of the "parked" and otherwise unsavory domains they used to show your PPC ads on. The lawyers got several million dollars (more than $40M, as I recall), the original plaintiffs each received over $10,000, and the rest of us get nothing if we are still in business, or you get $20 if you went out of business during the 5 years it took to settle the case. Oh ... and Yahoo has to do exactly nothing if the deal with Microsoft goes through. That would not have prevented them from being required to make good on the award if this were NOT a "class" action.
What? You didn't know that you were a member of the "class" until the lawsuit was settled, and now you can't sue Yahoo for the same thing because those plaintiffs have already settled it for you? What a shame. Oh well, that's how "class" action lawsuits work ... either you are the plaintiff or the lawyer, or you get nothing.
I sincerely hope that this lawsuit does NOT attain "class" action status, but rather that concerned people who want to join in the lawsuit do so the RIGHT way ... by becoming official co-plaintiffs. "Class" action lawsuits are a scourge and a disgrace, and should be removed as a legal "remedy".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
