Skip to content

April 9, 2012

Identity Based Trojans

by e1ven

Alt. Linkbait title- “Is your iPhone Spying on you? [1]


Apple is famous for their “Walled Garden” approach to the iPhone and iPad.
No software ships on the phone without their expressed approval.
The downside of this approach is that Apple has control over what you are allowed to use- They can block eReaders, Podcast software, and Torrent client, and there’s not much you can do about it.

In exchange, the protect you from having to worry about Trojans, Viruses, and other Malware.

The problem is, there’s a whole class of Malware that Apple hasn’t (and really can’t) do much to protect against at all.

If you’re dedicated to stealing info from someone’s cellphone, cleverly written apps are a good way to get started.

Your Apps know who you are

Every app you install has various ways of knowing who you are.

It can use various hardware unique identifiers to compare against other databases, it can check your address book, and see who you say you are, and although Apple is starting to restrict these, there are still alternatives for tracking you across multiple applications.
Apps can pull your phone’s name from APIs.
Using undocumented APIs, apps can directly even pull your email address without explicit permission.

The app could also just load the Phone Number directly. This method has been Exploited Before.

Or, if everything else fails, it can ask you to sign up for an account, and give it an email and password. Almost everyone uses the same email address for all their programs, so it ties them fair uniquely.

Your app can spy on you

One the Application knows you you are, it could begin selectively spying on you.
Once the App has identified that you are a target worth spying on, it has several options.

It could pull pictures from your camera roll.
It could take pictures of you, using either the frontside or backside camera, without showing you the viewfinder.
The phone could record audio of you, and upload it all to the badguy headquarters.

Wouldn’t Apple block the App?

If they found out about it, yes.
Once the fact that your app was doing that became public, Apple would almost certainly pull the App.
The problem is, if your careful, Apple is unlikely to know.

Appstore Reviews consist mainly of manually operating/examining the app, and automatically looking though the executable for internal-only APIs.
Apple doesn’t receive or review the source-code to your application, and can’t watch every execution path.
This is what allowed other applications to Slip through the review process.

If you are discreet in what you do- For example, only record video of a few select targets, it seems likely you’d be able to get away with this for quite some time.

What can I do?

Luckily, Apple is taking steps to make this exploit more difficult.
They’re making it more difficult to determine who you are, or to access the Address Book without your permission.
Down the line, they may decide to require a prompt before accessing the Camera or Microphone.

Until then, there’s not much you can do.
Unlike on the Macbooks, there’s no green light next to the camera when it is recording.
Even the NextStations had a hardware light when they were recording Audio

The best advice I have, if you’re paranoid, is
1) Don’t Jailbreak. This only adds other attack vectors.
2) Under Settings, General, Restrictions, you can disable the Camera.

This will stop applications from accessing it, but will also be rather inconvenient, if you ever do want to take a picture.
Perhaps, if you’re worried, you should carry a point-and-shoot.

Is this likely

No. Unless you’re famous, it seems possible, but unlikely, for you to be targeted for a customized attack.

[1] – No.

Portions of the title image copied from renaissancechambara.
Others from iStockPhoto.

Read more from Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments