A Swiss iPhone developer has unveiled a new application that is capable of harvesting huge amounts of personal data from iPhones, including geolocation data, passwords, address book entries and email accounts information, images, Safari Browsing history, youtube, keyboard logger, etc. all this using just the public API exposed by Apple’s SDK.
In oder for this application, SpyPhone, to work, it does not need any exploits or any jailbreaking/firmware modification, attacks in order to access the iPhone’s data. Instead, SpyPhone relies on using the iPhone’s usability and depth of features to its advantage. Once an application is on an iPhone, it has unrestricted access to the large amount of the data and settings available on the device.
Seriot, the application developer, has posted the source code for SpyPhone online and gave a talk detail document on iPhone Privacy at a security conference, earlier this week.
The Worst Part: SpyPhone is more like a Trojan sitting in your OS silently and stealing data. All of the SpyPhone’s operations are executed in the background, without the knowledge of the iPhone’s owner, and just like any other Trojan, the application can be set to email reports on each infected phone back to the attacker.
And when this kind of app makes it to App store, it becomes a serious issue. And who knows if “one of those spyware apps” already has SpyPhone-alike features.
The article is sensationalized but basically the guy is just trying to say any app can do this as it uses public APIs. If you're interested in trying it out, you can download the app from: http://github.com/nst/spyphone/. This proof of concept DOES NOT phone home, so any information retrieved will only be shown to you.
Edited by /- Razorfold, 29 July 2010 - 09:19.