Lawsuit Claims Top iPhone Games Stole User Data 149
pdclarry writes "Storm8, a maker of some top iPhone games, allegedly stole users' mobile phone numbers, according to a lawsuit filed on November 4. The suit claims that best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. There have been other reports of applications copying personally identifiable customer information in the past. The complaint seeks class-action status."
Re:Big Surprise... (Score:2, Interesting)
You need to think about that some more. Unless the user is required to enter their password every time they access the data (which would get very annoying real fast), there will have to be some kind of key caching, with safeguards to prevent the wrong applications from using it. What's to stop a bad application from bypassing those safeguards?
Re:Clearly an inside job. (Score:2, Interesting)
note to Apple (Score:4, Interesting)
Apple's "Security" Focus (or lack their of) (Score:5, Interesting)
1. MacBook's default to no user authentication which is unacceptable for a portable device that can be stolen or misplaced.
2. The OS X Firewall is disabled by default. Let's assume every OS X component is 100% secure, there's no way that every OS X app is.
3. And as a completely random example... AppleTV only supports WEP. I know this is a nit-picky thing but it shows Apple's indifference. WEP has been thoroughly and completely broken... yet one of Apple's primary devices will not support a more secure protocol. You want to use your new toy you have to downgrade your security.
I like OS X and the new unibody MacBooks just rock... but Apple's shwarmy and basically indifferent attitude to security is going to end up biting them in the arse.
Privacy applications are available.... (Score:5, Interesting)
Re:Apple's "Security" Focus (or lack their of) (Score:3, Interesting)
1. If your Macbook is stolen, your data is compromised whether you have user auth on or not, since with an OS X install disk you can reset the admin password. Alternatively they can just boot it in firewire mode and mount the disk on another machine and take your data that way (or physically remove the HD). Unless you specifically set your keychain password to something other than your admin password this also means any password you store in there is compromised too. Are you suggesting that Macbooks ship with Filevault turned on? I would suggest that when you start a new user profile that it recommends that your keychain master password is different from your login password, but this is going to get in the way of a smooth user experience (which is a crummy reason to reduce security, but there is a balance between security and convenience that we all have to decide on) - by default the Mac is pretty open, but you can chose to enable the firewall, create different passwords for your keychain, run as a non-admin user etc etc as you see fit.
2. Yes, it should be on by default. I have no idea why it isn't.
3. The Apple TV is a bit of a special case - it should be updated to newer wireless standards, but I assume there is a technical reason why this is not so at the moment. Everything else on current Mac hardware on the wireless front (ie, anything that is g or better) supports at least WPA or WPA2 as well as the more esoteric WPA2 enterprise protocols as well as the less secure WEP stuff for compatibility. If you have an Apple TV on your network, you either need to drop to WEP or hook it up over ethernet - a problem that does need to be addressed.
Re:yeah, right! (Score:3, Interesting)
They never guarantee that they will remove all malware, although they reserve the right to ban any application that is deemed dangerous. Unless they were to visual verify every line of every code of every applications (there are what, over 100,000 apps?) then there is no way they can possibly prevent all malware.
I for one would prefer that they make the attempt, rather than taking the MS approach of relying on heuristics to identify them.
Re:yeah, right! (Score:3, Interesting)
Re:What Safeguards? (Score:5, Interesting)
Re:Clearly an inside job. (Score:3, Interesting)
That is possibly the stupidest review process I've ever heard of.
Surely Apple has some sort of iPhone emulator they can install on and see what files it accesses.
Hell, in this case, your phone number is being transmitted in cleartext, which should have been noticed via a sniffing.
Obviously, nothing could even entirely be 100% sure, (See: Halting problem), but it could be made damn hard for apps to do that sort of stuff.
At this point, it's looking like Apple's entire 'review' process is solely to keep competitors out. Yes, yes, I've always heard people say that, but I actually believe they were at least also keeping malicious software out.
Storm8 Login sends your phone number + imei (Score:3, Interesting)
I don't know if they are doing it like this any more, but all storm8 apps are the same game with different graphics.
1. Connect to storm8 server and send your phone number + imei
2. Server returns a session id you can use for processing your commands
3. basic http queries control the app
This is why when the games first came out you couldn't move your account from one device to another, they used the device id as your user id. They have since implemented portable username but by default they still send all your shit across the network. You can snoop packets and see the phone number of every user that plays on your network.
I wrote a lot of bots for all the games. I haven't played in a few months... Setup an http proxy in your iPhone network settings and all this is very obvious.