Lawsuit Claims Top iPhone Games Stole User Data 149
pdclarry writes "Storm8, a maker of some top iPhone games, allegedly stole users' mobile phone numbers, according to a lawsuit filed on November 4. The suit claims that best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. There have been other reports of applications copying personally identifiable customer information in the past. The complaint seeks class-action status."
Big Surprise... (Score:3, Insightful)
Re:Big Surprise... (Score:5, Insightful)
yeah, right! (Score:5, Insightful)
You can't have the cake and eat it too.
But of course, if it's apple - apparently they can, at least here on
Re:yeah, right! (Score:5, Funny)
But it's apple!! They can't do no wrong!!
Re: (Score:1)
They're a company, protecting their profits with nary a regard for their customers welfare. They're doing no more wrong than what's expected of any company.
Re: (Score:2)
whoosh!
Re: (Score:3, Interesting)
They never guarantee that they will remove all malware, although they reserve the right to ban any application that is deemed dangerous. Unless they were to visual verify every line of every code of every applications (there are what, over 100,000 apps?) then there is no way they can possibly prevent all malware.
I for one would prefer that they make the attempt, rather than taking the MS approach of relying on heuristics to identify them.
Re: (Score:1)
Unless they were to visual verify every line of every code of every applications (there are what, over 100,000 apps?) then there is no way they can possibly prevent all malware.
And yet, all of those 100,000 apps have gone through Apple's verification and approval process. What exactly is involved in that? I would say checking for malicous activity and programs attempting to gain access to privilaged information would be the bear minimum, surely?
IANAL, but a content provider that facilitates distribution of malware/spyware through its portal must be culpable to some extent?
Re:yeah, right! (Score:4, Informative)
> IANAL, but a content provider that facilitates distribution of malware/spyware through its portal must be culpable to some extent?
No they aren't. You should know better if you're on this site. That's like saying the internet providers are responsible for all malware.
They check apps for content and for duplicated functionality. They don't do a line by line review of every piece of code, nor do they claim to do so.
Re: (Score:3, Insightful)
I would agree, except apple's setup seams to prevent anyone but apple being able to prevent this. Most other platforms you could install a debugger/logger, but that would be banned on any phone that can access the app store. In a open development environment you could have open source apps that the customers can compile themselves insuring any suspicion can be verified in source as intent, again not option in the apple environment. Apple better have a terms of use for application developer so that these
Re: (Score:3, Insightful)
No play for play software producer would open the source on their currently selling software. At a minimum, should the charges prove true, I would think Apple will yank the app (potentially all apps from that vendor I would think). This is a pay app, not a free one.
I would also think that legal action, both by individuals, and by Apple is pretty much a given should it prove to be true.
Re: (Score:2)
it was proven true, intent isn't known. My only point was, their is no easy way to verify a iApp outside of apple, a customer couldn't even verify a app they were given/bought the source for. This one transmitted the info over WiFi link as well, had it only used cell link, who would know?
Open-sourcing a iphone game doesn't seam too bad. To get it on a phone a player would have to pay $100 to become a developer (or $4 for the app), without that they could play it on a emulator only. The app store is sup
Re: (Score:3, Insightful)
One of the chief rationales constantly given for Apple's labyrinthine and bizarre rules is to protect the "experience". If Apple is allowing malware in their store, then I think they should taken to task for screwing with the "experience".
Re: (Score:2)
Are you implying that they knowingly 'allowed' a known app that collects personal information into the App store?
Re:yeah, right! (Score:4, Insightful)
I'd love to, but sadly, I think it shows the sheer ineptitude of their apps store and undermines the very arguments they use for denying things like full C64 emulators. In short, Apple's excuse is a pile of bullshit. If malware can make it on to the iPhone via the Store, then one of the Store's primary purposes has been undermined, as has Apple's claims about it.
Re: (Score:2)
Apple doesn't claim to stop Malware. Please point out where they claim this.
Re: (Score:2)
Apple claims to be protecting the "experience" with their restrictive Store policies. Malware fucks up the experience, wouldn't you say? Besides, the whole argument against the C64 emulator was that somehow, magically, someone could use 6510 assembly language to, well, do the sorts of nasty things that apparently can be done with approved apps. In short, Apple is both incompetent and lying.
Re: (Score:2)
I'll ask again. Please post a link to the specific text where Apple guarantee's the 'user experience', or where they guarantee they will find and prevent all malware. Please point out where they 'claim' this.
You can't.
You've only proved that you don't like their closed system and frankly, I'm surprised you haven't been marked down for flamebait. Your post seems more based on wishful thinking hoping someone will sue Apple for malware created and injected by a 3rd party with no substance behind it other than
Re: (Score:3, Insightful)
If you are making the claim that you don't have to worry about viruses and bad people on Apple products, then you better not be sanctioning apps that do exactly that. If they let anyone put anything on the iPhone, this would be different. But since they force you to go through their
Re: (Score:2)
Again, you're looking to assign blame where none exists. The responsible person is the app developer, not Apple. This same tack was tried with internet providers. If they were opened to legal action due to the malicious intent of others then there would be no internet providers. None would be crazy enough to enter into that legal nightmare. Any digital distribution for online software would be at risk, and would also disappear in short order I would imagine.
It's obvious you dislike the Apple model and it's
Re: (Score:2)
Apples and oranges. ISPs usually don't look at what you're downloading/uploading, and in fact they're not supposed to [wikipedia.org] (ethically, not yet legally). Apple "audits" any app you can put on your iPhone. Since Apple does reject some apps, and doesn't want to say much about what they look for, it is difficult to argue that they are completely in the legal clear given that their auditing process creates a certain expectation of security in the mind of the user. If Apple cannot fulfil that expectation, they mig
Re: (Score:2)
Apple tells you exactly what their looking for. Obscene material, and apps that duplicate functionality on the core OS within those apps.
Please point out anywhere on Apples site where they actively scan code for malware. Unless you can find such a claim, then there is no legal basis for your argument..
Re: (Score:2)
I will repeat for you what I've asked the others. Please point out on Apples site where they claim to scan code for malware. Just because you may think they should be doing something, doesn't' mean they are legally bound to do so. I would go so far as to guarantee that the terms of purchase specify that Apple isn't liable for content purchased via the App store, except possibly for the return price should the app be banned.
Re: (Score:3, Interesting)
Re: (Score:2)
I agree wholeheartedly. Any reasonable security measure that doesn't put undue burden on a developer should absolutely be implemented.
I suspect they may have to find a way to enforce use of such profiles at some point if they want to keep things tidy. I'm actually surprised they don't do so already.
I have to wonder if these in-game upgrades go through the same strenuous review process that the initial app does?
Re: (Score:2, Interesting)
You need to think about that some more. Unless the user is required to enter their password every time they access the data (which would get very annoying real fast), there will have to be some kind of key caching, with safeguards to prevent the wrong applications from using it. What's to stop a bad application from bypassing those safeguards?
Re:Big Surprise... (Score:5, Insightful)
Whatever happened to Apple's policy of babysitting their users by allowing only certain apps? Wouldn't this application exactly the kind of crap users should be protected against?
It's been claimed on
Re: (Score:1, Flamebait)
Re: (Score:2, Insightful)
No, you just made a claim about "appple apologists" [sic] that you completely failed to back up. You then threw out your own baseless accusation, again with no citation.
Textbook flamebait.
You can replace "Apple" with "MS" or "Sun" or "Verizon" or "Amazon" or "Google" for exactly the same mod result.
Re: (Score:2, Flamebait)
No offense but.. I think guys like you crying flamebait are big fat pussies. Seriously.
Re: (Score:2)
Hey, I'm just explaining why he got the mod. I'm not judging one way or the other, nor am I the one who modded it that way.
In my experience, "flamebait" typically means "I do not agree, thus I mod you flamebait", but in some cases, it actually does mean what it says, hence: textbook.
Re: (Score:2)
Re: (Score:2)
Oh yes. I must be the first one and a trend-setter on
Re:Big Surprise... (Score:5, Funny)
If you want infallible maybe they should get the pope to do app reviews.
Re:Big Surprise... (Score:4, Insightful)
So Apple will try but they may make mistakes. Fair enough.
But if we accept the fact that mistakes will be made, how is this better than either a "Wild West" approach where anyone can publish applications with no review whatsoever or, conversely, a competitive store approach where some stores will be better than others about evaluating what an app does?
Re: (Score:2)
The rationale is that Apple products are strongly associated with the brand and everything that goes wrong will reflect badly on Apple even if the apps are not associated with Apple in any way. Opening up the iPhone to other stores in that line of thinking would increase the risk of damaging the brand by vastly increasing the opportunity for malicious and inappropriate apps. Just read this thread and see how many people are ready to blame Apple because some software publishers are shady assholes.
Personally
Re: (Score:3, Insightful)
Apple would receive no blame at all here except that they claim to protect users from this sort of thing. In order to provide this "protection", they make developers of potentially useful apps jump through a series of flaming hoops, yet managed to defeat the entire point by allowing the Storm8 games right in. That is, they endorsed the app by screening it for harmful behavior, pronouncing it good, and then offering it in their app store.
It should be no surprise that if Apple will claim to be providing this
Re: (Score:3, Insightful)
Exactly.
Apple is playing both sides here. Either their app store is safe, or it isn't.
If it isn't safe, 90% of their excuse for not allowing people to download apps from anyone is nonsense.
Re: (Score:2)
Exactly.
Apple is playing both sides here. Either their app store is safe, or it isn't.
If it isn't safe, 90% of their excuse for not allowing people to download apps from anyone is nonsense.
Other 10% (in 2% increments):
1) Money
2) MONEY
3) Mo-ney
4) ???
5) Profit!
Re: (Score:2)
Re: (Score:3, Insightful)
They've had since at least August 27th to correct their oversight (the date when Storm8's behavior was first documented publicly [sfgate.com]). Considering that it could be verified by just installing one of the listed games and running tcpdump while registering it, I'd have to say they haven't been at all interested in investigating.
Just to add to it, Storm8 doesn't even deny that the collection happened! They only deny that it is intentional.
Re: (Score:2)
It's obvious who the mindless, irrational zealot is here, and it certainly isn't jcr...
Re: (Score:1, Funny)
Oh the fools! If only they'd built it with 6001 hulls! When will they learn?
Re: (Score:2)
> When will encrypted data at the 2048 and higher bit level make it into the
> tech we take for granted on a daily basis.
When a significant number of customers won't buy "tech" without it. The fact is most people don't care, including most of those who complain about it.
Re: (Score:3, Insightful)
When will a pony show up and dance the lambada? This has _nothing_ to do with the length of encryption keys, and everything to do with fine-grained data access. Unfortunately, a lot of apps were developed first, and security only thought of later. (Yes, I'm talking about CVS and Subversion and Jabber.) The results are predictable: personal data is not encrypted, and is shared freely to the local filesystem because the developers are not given the time, and the apps are not given the resources, to protect th
Re:Big Surprise... (Score:5, Insightful)
Encryption wouldn't help here. The API allows access to all kinds of data on the iPhone, which some apps do legitimately require in order to function (for example, a Google Voice-type app would indeed need the user's phone number). Even if the data was encrypted, the iPhone would happily decrypt it and pass it to the app when given the proper API call. The issue here is enforcement. Developers caught doing this kind of thing should be banned from the App Store, and put on some kind of blacklist at Apple so Apple doesn't do further business with them.
Re: (Score:2)
You need to think about that some more. Unless the user is required to enter their password every time they access the data (which would get very annoying real fast), there will have to be some kind of key caching, with safeguards to prevent the wrong applications from using it. What's to stop a bad application from bypassing those safeguards?
What you are describing are the kind of measures you take against outside attackers. The problem here is that the attacker is an invited guest. Locked doors don't do
Re: (Score:2)
How will encryption help, when the application that you've been duped into installing is DOING THE SNOOPING?!?!
Clearly an inside job. (Score:5, Funny)
As strict as the Apple store is about getting actual useful apps in, and screening all kinds of apps based on one or two system calls, clearly the only way this could have happened is if Storm8 has someone on the Apple App Approval Team who they know. Otherwise, how would something like this have gotten past such a stringent code review?
Re: (Score:2, Interesting)
Re: (Score:1)
Re: (Score:1)
Re:Clearly an inside job. (Score:5, Insightful)
Re: (Score:1, Funny)
They don't have access to the code. Besides, reviewing the code requires non-trivial technical skills.
Technical skills. Exactly the sort of thing Mac users don't have.
"Of the 235 million people in America, only a fraction can use a computer... Introducing Macintosh. For the rest of us." -- Apple Inc.
Re: (Score:2, Informative)
Unfortunately, app reviewers literally just install your app on a bunch of devices and tap around the screen to make sure nothing breaks, so any sort of hidden functionality will likely make it past the initial screening.
For the record... my app, Touch Health [milktouch.ca], will not steal your
Re: (Score:2)
Thanks, I was worried that an obscure health app would do that. I now know that this isn't merely an attempt for you to get more hits, I was seriously worried that an app with a single review was busy stealing my data.
I've looked over your bullet points, still wondering where it becomes useful, you really expect emergency personnel to launch your app and find the "emergency contact" ? This is great. Maybe next you can add a method for me to identify myself when my wallet isn't sufficient, wait you alre
Re: (Score:3, Interesting)
That is possibly the stupidest review process I've ever heard of.
Surely Apple has some sort of iPhone emulator they can install on and see what files it accesses.
Hell, in this case, your phone number is being transmitted in cleartext, which should have been noticed via a sniffing.
Obviously, nothing could even entirely be 100% sure, (See: Halting problem), but it could be made damn hard for apps to do that sort of stuff.
At this point, it's looking like Apple's entire 'review' process is solely to keep co
Not so secret .. (Score:5, Informative)
Getting access to a user's phone number doesn't require a 'secret' code. Any app can do that.
http://blog.timeister.com/2009/06/25/objective-c-get-iphone-number/
Storm8 Login sends your phone number + imei (Score:3, Interesting)
I don't know if they are doing it like this any more, but all storm8 apps are the same game with different graphics.
1. Connect to storm8 server and send your phone number + imei
2. Server returns a session id you can use for processing your commands
3. basic http queries control the app
This is why when the games first came out you couldn't move your account from one device to another, they used the device id as your user id. They have since implemented portable username but by default they still send all you
What Safeguards? (Score:5, Informative)
How is using standard, documented, code bypassing safeguards?
NSString *telnum = [[NSUserDefaults standardUserDefaults] stringForKey:@"SBFormattedPhoneNumber"];
On most devices - at least those that were activated via iTunes - that will return the phone number. Or null if you're on an iPod Touch.
Okay, so the developer shouldn't have been harvesting this data, and definitely not without protecting it, but I fail to see how this was bypassing safeguards!
Re:What Safeguards? (Score:5, Informative)
Mod parent up. There's no safeguards. The Cocoa Touch SDK doesn't protect the user's phone number or name. Even the contents of the entire address book are accessed without safeguards. I was amazed to learn that I have to give an app permission to get my location, but meanwhile apps could pull every email address from Contacts and post them to a web server somewhere without my ever knowing.
Re: (Score:2)
So basically, it was designed with the same philosophy as Windows?
I can predict how this is going to end!
Re: (Score:2)
Re:What Safeguards? (Score:5, Interesting)
Re: (Score:2)
note to Apple (Score:4, Interesting)
Re: (Score:2)
Re:note to Apple (Score:4, Insightful)
mass-adoption is a security liability. it must be feared as much as holes and bugs in software. how does it feel to be in Microsoft's shoes? go ahead, fanbois. mod me down.
Oh, really? Take a look at the market share of Apache webserver. [netcraft.com] Now which is more secure? IIS or Apache? They are plump target for every organized crime outfits in the world. They host banks and brokerage accounts that transact trillions of dollars day in day out. And the organized crime outfits don't limit themselves to simple hacker techniques. They would not mind murder and kidnapping and bribing to get passwords or breaking and entering to install key loggers. In that market place Apache shines and IIS lags.
Mass adoption alone is not a security liability. Mass adoption of closed proprietary protocols, be it Apple, be it Microsoft, be it Diebold, is a security liability. The reason is the main interest of Apples and Microsofts and Diebolds is to sell more of their product. Not security of user data. It is important only as much as it affects sales. If there are other factors that influence sales they will be the preoccupation of these companies, not security of user data.
Re: (Score:3, Funny)
...
Are you saying Apache is Murder-proof?
How did they test that?
Re: (Score:2)
Re: (Score:2)
Ok, if you insist. ...
Seriously, you make a good point, but you've deliberately tarnished it by expressing a smarmy - some would call it unnatural - preference for attention from "fanbois".
Why do you seek them out?
After all, this is the domain of the big players (Score:1)
Look for a lawyer... (Score:2)
Even if the "class", um, "wins", it would be something like this; Lawyer gets well paid for all the hard work to bring justice to the world.
iPhone users get a coupon for a free iPhone download or two.
Re: (Score:2)
This is isn't new (Score:2, Informative)
You can get device id (often the number) on games/apps from a variety of carriers. We're contractually bound only to use it for reporting back to them. Esp for subscription games. There's that line about sharing info with our partners in nearly every privacy clause, basically we use it to track you but not to market to you.
And yes I've worked in the industry for a while.
Apple's "Security" Focus (or lack their of) (Score:5, Interesting)
1. MacBook's default to no user authentication which is unacceptable for a portable device that can be stolen or misplaced.
2. The OS X Firewall is disabled by default. Let's assume every OS X component is 100% secure, there's no way that every OS X app is.
3. And as a completely random example... AppleTV only supports WEP. I know this is a nit-picky thing but it shows Apple's indifference. WEP has been thoroughly and completely broken... yet one of Apple's primary devices will not support a more secure protocol. You want to use your new toy you have to downgrade your security.
I like OS X and the new unibody MacBooks just rock... but Apple's shwarmy and basically indifferent attitude to security is going to end up biting them in the arse.
Re:Apple's "Security" Focus (or lack their of) (Score:4, Informative)
Re: (Score:2)
Re: (Score:3, Interesting)
1. If your Macbook is stolen, your data is compromised whether you have user auth on or not, since with an OS X install disk you can reset the admin password. Alternatively they can just boot it in firewire mode and mount the disk on another machine and take your data that way (or physically remove the HD). Unless you specifically set your keychain password to something other than your admin password this also means any password you store in there is compromised too. Are you suggesting that Macbooks ship wi
Re: (Score:2)
Re: (Score:2)
...which is covered by "physically remove your hard drive" which I wrote literally right after that, but you chose to only partially quote my sentence and leave out that bit. Did you stop reading, or just chose to selectively quote? You can't be karma whoring since you are AC.
Re: (Score:2)
Which of these are valid... (Score:4, Informative)
MacBook's default to no user authentication which is unacceptable for a portable device that can be stolen or misplaced.
Are you sure about that? Every new Mac I've seen, you have to set up a user account (with password) first. Are you talking about how there is a setting to log you in automatically on restart?
The OS X Firewall is disabled by default. Let's assume every OS X component is 100% secure, there's no way that every OS X app is.
This makes no sense. No ports are open by default, so just what would the firewall be, well, firewalling? With no ports open by default it's pretty much pointless to target any of the services since so few of them are likley to be turned on across the population. That's actually the real reason we've seen no viruses on OS X, because there's no target vector wide enough to be worth the trouble - thus all attacks are trojan style.
If a particular app has a flaw how does a firewall help, if that app choses to listen on a port? Wouldn't it have to do that around the firewall anyway?
And as a completely random example... AppleTV only supports WEP
As stated by other posters, this is not correct.
I like OS X and the new unibody MacBooks just rock... but Apple's shwarmy and basically indifferent attitude to security
I disagree here, I think Apple has been very security conscious in the ways that actually matter most to users.
OS X 10.5+ firewall is app firewall in fact (Score:2)
App Firewall does have a nice function where it scans for "listening" (server) applications and pops up when some new listening application (server) launched, asks user whether to allow and sign the binary against future modification which in that case, it will popup again.
They are absolutely stupid to code such a "mac like" app firewall and not enabling it by default. As a good side effect, it could also promote developers sign their apps.
BTW: Check your ports with nmap locally (nmap) or remotely (grc.com)
Re: (Score:3, Informative)
BTW: Check your ports with nmap locally (nmap) or remotely (grc.com) after putting machine to DMZ. Some real needless ports are always open.
But only if you have enabled some services, none of which are enabled by default. That's why it doesn't really matter, because any one service is going to have such a low surface area to attack it's a waste of time to write the exploit - in the general case.
Companies should always be more cautious because of the potential for espionage, but then they could insist that
Re: (Score:2, Informative)
For 1: User authentication does not help against data loss due to stolen or lost hardware. Local access means root access, unless encryption is used. And Apple can't turn on FileVault by default since users that aren't careful (master password, write their password down and store it in a safe) would just forget their passwords and lose access to their data permanently.
For 2: The purpose of a firewall is to filter traffic to open ports. Mac OS X has no open ports by default. Any services the user chooses to
Re: (Score:3, Informative)
The purpose of a firewall is to filter traffic on open ports. Without a firewall, *all* ports are open, even if there are no daemons listening on them. When you install new software, you are potentially installing a daemon
Privacy applications are available.... (Score:5, Interesting)
Why just the iPhone? (Score:3, Informative)
From - http://yro.slashdot.org/comments.pl?sid=1386337&cid=29585841 [slashdot.org] - every phone OS has ways to get the phone number, much easier than various little hacks to do so. Android, Symbian, Blackberry OS, Windows Mobile. Though to Symbian's credit, you need to do a few tricks (like waiting for a phone call), and Android requires permission.
The interesting question is, how many apps on those platforms already call home? Why is Apple "innovating" in revealing what could be standard practice elsewhere?
Re: (Score:2)
Can't get extra security even if you pay for it (Score:2)
Sad thing is, the best companies on mobile security (telling from Symbian), Kaspersky and F-Secure won't ship any products to a target of "jailbroken" (hacked) iPhones as they want to maintain a relationship with Apple.
App Store is absolutely impossible since these things run daemons at background, including an app firewall.
So, even if you pay, you won't have any kind of extra privacy or security on iPhone.
PS: I got couple of their games, they have "recruit" feature which pulls up Address Book contacts and
Apple's fault. (Score:2)
Do they not ask for your code as you do a request to be included into the apple iphone app store, then if anyone really bothered to read the code and what it does, such is the job of a security analyst at their submissions department, then they would have caught this code, and would not have allowed such a game to be inserted into the iphone to begin with.
They have a process making it hard visibly only for coders to get their apps in, but guess what, each subsequent version upgrade, should go through the sa
End them (Score:2)
>> Storm8, a maker of some top iPhone games, allegedly stole users' mobile phone numbers, according to a lawsuit filed on November 4
If this is true, I will post the cheats I made for all the Storm8 games (since they all use the same backend). This will end them.
In the meantime, since nobody else hijacked this thread, it's time to mod me into oblivion:
Kingdoms Live code: y7595v
iMobsters code: p4cq9c
Racing Live code: 5bycax
Vampires Live code: cycvbv
Rockstars Live code: 7da3pt
World war live code: uhpt7s
Z
The Symbian approach. (Score:2)
Symbian S60 3rd (and now 5th) Edition require all native apps to be digitally signed with a developer certificate that has to be bought from their site, and you can't sign up to purchase from a generic webmail account. Different types of certificates grant different permissions to the application for access to user data and handset features like SMS,calls, bluetooth,wifi, GPS etc.(
The handsets also block unsigned applications from being installed, so this also deters casual piracy (since a cracked Symbian a
Re:App Testing (Score:5, Informative)
skype, opera, flash, and c64 emulators
Re: (Score:2)
In other words, useful apps. I'm damned glad, and I hope this severely bites those pathetic control freaks in the ass. Apple needs its reputation dragged through the mud like the two-bit whore it is.
Re: (Score:2)
skype was initially banned from the app store. Skype had to fight to get it in in there again.
Re: (Score:2)
Re: (Score:2)
No private API's in Google app. (Score:2)
google was able to push private api's in the google iphone app.
This is false, it was found to simply be a notification they listed to, not an unpublished call they made. When the system calls you, that is not misuse of a private API.
There have been other groups that have snuck use of a few marginal API calls past app testers, but they are cracking down. And as other people noted, you can use the public API's just fine to get at the phone number.