Pickpockets in the (app) Marketplace

Suddenly, it seems, the App Store is having a (very small) taste of the sort of criticism previously reserved for Android outlets, recently with regard to ZonD80’s provision of a service by which Apple’s in-app purchasing mechanism can be subverted, hard on the heels of reports of a problem that resulted in the distribution of damaged binaries and the not-exactly-malicious Find and Call app using spammy methods of self-promotion via the customer’s contact lists. Sounds a bit like unauthorized access to me, but then an awful lot of Facebook apps – or is that a lot of awful Facebook apps? – do something rather similar. Still, spamming a customer’s contacts is too close for comfort to spamming a malware victim’s contacts, whether it’s with ‘harmless’ spam – isn’t nearly all spam in some sense fraudulent? – or malicious URLs.

Well, corrupted binaries are certainly a problem, though not one I’ve encountered personally, to date. Defrauding either the customer or the developer is in some ways more significant than a transient distribution glitch. Not because it shows that more people than you might think will hoist the Jolly Roger if you offer them a way of evading having to pay for software, and not even because Apple’s mechanisms for securing App Store transactions failed – that’s unfortunate, but no-one can guarantee 100% security 100% of the time, and while Apple’s public actions so far seem to have been more focused on the breach than on the vulnerability, I imagine that the company is addressing that too. I don’t suppose it’s a five-minute job. Then there’s the report from a major AV company that 18.6% of iPhone apps have the ability to access a user's contact details without asking, 41% track the customer's movements, and only 57.5% encrypt those data (that’s based on a sample of 65,000 apps, apparently) .
What does this all tell us? Not that the iOS app landscape is the Wild West (especially if you choose not to jailbreak), but it’s not security Nirvana, either, even if you leave aside a plethora of fraudulent social engineering attacks. Being (more or less) safe from out-and-out malware isn’t the same as being safe from ethically dubious or downright malicious behaviour. But then, that’s true of the entire online universe.

What’s Hot on Infosecurity Magazine?