Dennis Fisher has the skinny on a new iPhone app that is capable of harvesting huge amounts of personal data from stock iPhones, including geolocation data, passwords, address book entries and email account information, all using just the public API.
The app, called SpyPhone, is the handiwork of Nicolas Seriot, a Swiss iPhone app developer who found a way to abuse the public iPhone API that Apple made available for application developers. Fisher reports that SpyPhone does not need any exploits or hardware attacks in order to access the iPhone’s data.
Instead, SpyPhone relies on using the iPhone’s usability and depth of features to its advantage. Once an application is on an iPhone, it has unfettered access to much of the data and settings on the device, a circumstance that SpyPhone’s developer, Nicolas Seriot, exploited.
The developer has posted the source code for SpyPhone online and gave a talk about SpyPhone’s capabilities at a security conference this week.
Original article can be found here.
So, why is this even posted here? Iphone OS API enables you to use data on the phone, but why even bother with it if you can’t ever get it on any non-jailbroken “stock” phones? If this was about a method to remote install apps on iphones, now that would be news.
it’s nice to know such a thing exists. combine it with the existing iphone worms and it would attract even more attention.
btw most of the tools here on MP do the same thing. they only collect data and nothing more. if you want to transfer the data to the drop zone you have to combine them with the SMTP dropzone thing.
The reason for news is that it would be simple for an unethical advertising agency or spammer to slip these API calls into programs that double as spyware. It isn’t that hard to get an Iphone app into the app store. Convincing people to install is slightly harder, but look how many sales the IBeer or even the IFart apps have.