Lawsuit Claims Top iPhone Games Stole User Data

pdclarry writes "Storm8, a maker of some top iPhone games, allegedly stole users' mobile phone numbers, according to a lawsuit filed on November 4. The suit claims that best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. There have been other reports of applications copying personally identifiable customer information in the past. The complaint seeks class-action status."

Re:Big Surprise...

[harlows_monkeys]

You need to think about that some more. Unless the user is required to enter their password every time they access the data (which would get very annoying real fast), there will have to be some kind of key caching, with safeguards to prevent the wrong applications from using it. What's to stop a bad application from bypassing those safeguards?

Re:Clearly an inside job.

[Super Dave Osbourne]

That is of course assuming Apple has a tough scrutiny that is uniform across all apps and all its screeners. I often get the impression that with 1000s of crap apps submitted, and 1000s of crap apps approved, with 1000s of good apps rejected, and even more 1000s of crap apps rejected there is no rhyme or reason to the insanity that still is the approval process at AppStore. To summarize, they do what is necessary to keep it afloat, and no more. Others take advantage of it, and thinking there is some conspiracy at AppStore is as valid in my mind as the argument that this Storm8 upload of PNUM was a mistake/error. Just don't buy it.

note to Apple

[N!NJA]

mass-adoption is a security liability. it must be feared as much as holes and bugs in software. how does it feel to be in Microsoft's shoes? go ahead, fanbois. mod me down.

Apple's "Security" Focus (or lack their of)

[thesandbender]

As a recent convert to Apple (short story OS X is a nice balance between Unix and applications I need to use for my client base) I was a little shocked by how nonchalant Apple seems to take user security.

1. MacBook's default to no user authentication which is unacceptable for a portable device that can be stolen or misplaced.
2. The OS X Firewall is disabled by default. Let's assume every OS X component is 100% secure, there's no way that every OS X app is.
3. And as a completely random example... AppleTV only supports WEP. I know this is a nit-picky thing but it shows Apple's indifference. WEP has been thoroughly and completely broken... yet one of Apple's primary devices will not support a more secure protocol. You want to use your new toy you have to downgrade your security.

I like OS X and the new unibody MacBooks just rock... but Apple's shwarmy and basically indifferent attitude to security is going to end up biting them in the arse.
/I've strapped on my fire-proof britches... fire away :)

Privacy applications are available....

[westyvw]

If your phone is jailbroken. I do not know if it protects the user form this company, but it does block information that other companies have been known to try and get. Yet Apple is still trying to convince users that the App store is the only safe place for software.

Re:Apple's "Security" Focus (or lack their of)

[jo_ham]

1. If your Macbook is stolen, your data is compromised whether you have user auth on or not, since with an OS X install disk you can reset the admin password. Alternatively they can just boot it in firewire mode and mount the disk on another machine and take your data that way (or physically remove the HD). Unless you specifically set your keychain password to something other than your admin password this also means any password you store in there is compromised too. Are you suggesting that Macbooks ship with Filevault turned on? I would suggest that when you start a new user profile that it recommends that your keychain master password is different from your login password, but this is going to get in the way of a smooth user experience (which is a crummy reason to reduce security, but there is a balance between security and convenience that we all have to decide on) - by default the Mac is pretty open, but you can chose to enable the firewall, create different passwords for your keychain, run as a non-admin user etc etc as you see fit.

2. Yes, it should be on by default. I have no idea why it isn't.

3. The Apple TV is a bit of a special case - it should be updated to newer wireless standards, but I assume there is a technical reason why this is not so at the moment. Everything else on current Mac hardware on the wireless front (ie, anything that is g or better) supports at least WPA or WPA2 as well as the more esoteric WPA2 enterprise protocols as well as the less secure WEP stuff for compatibility. If you have an Apple TV on your network, you either need to drop to WEP or hook it up over ethernet - a problem that does need to be addressed.

Re:yeah, right!

[DJRumpy]

They never guarantee that they will remove all malware, although they reserve the right to ban any application that is deemed dangerous. Unless they were to visual verify every line of every code of every applications (there are what, over 100,000 apps?) then there is no way they can possibly prevent all malware.

I for one would prefer that they make the attempt, rather than taking the MS approach of relying on heuristics to identify them.

Re:yeah, right!

[TheRaven64]

The XNU kernel on the iPhone supports fine-grained profiles for restricting what applications can do. If something is a game, then it needs to access the display, write to the app's directory, and nothing else. This should be enforced by the kernel. Apple has even written a policy for this already, which ships with OS X on the desktop (I've never met anyone who uses it, but it's there). There is no excuse for not using this on the iPhone.

Re:What Safeguards?

[IamTheRealMike]

What? Seriously? Why does this never come up in iPhone vs Android reviews? The Android security system isn't perfect, but it does at least tell you what an app will be able to do ahead of time. If I install a game and it wants to read my address book, I think twice.

Re:Clearly an inside job.

[DavidTC]

That is possibly the stupidest review process I've ever heard of.

Surely Apple has some sort of iPhone emulator they can install on and see what files it accesses.

Hell, in this case, your phone number is being transmitted in cleartext, which should have been noticed via a sniffing.

Obviously, nothing could even entirely be 100% sure, (See: Halting problem), but it could be made damn hard for apps to do that sort of stuff.

At this point, it's looking like Apple's entire 'review' process is solely to keep competitors out. Yes, yes, I've always heard people say that, but I actually believe they were at least also keeping malicious software out.

Storm8 Login sends your phone number + imei

[PetoskeyGuy]

I don't know if they are doing it like this any more, but all storm8 apps are the same game with different graphics.

1. Connect to storm8 server and send your phone number + imei
2. Server returns a session id you can use for processing your commands
3. basic http queries control the app

This is why when the games first came out you couldn't move your account from one device to another, they used the device id as your user id. They have since implemented portable username but by default they still send all your shit across the network. You can snoop packets and see the phone number of every user that plays on your network.

I wrote a lot of bots for all the games. I haven't played in a few months... Setup an http proxy in your iPhone network settings and all this is very obvious.