Fears over iPhone app security glitch

We’re sorry, this feature is currently unavailable. We’re working to restore it. Please try again later.

Advertisement

This was published 11 years ago

Fears over iPhone app security glitch

By James Manning
Updated

When selling or giving away your old iPhone, you could be granting the person who buys it access to your personal data, even after you've wiped it.

Certain applications use your phone's unique ID (known as a UDID) to identify you and sign you in to their service.

ispyPhone ... Is your smartphone watching you? <I>Graphic: Liam Phillips</i>

ispyPhone ... Is your smartphone watching you? Graphic: Liam Phillips

If someone who bought your iPhone downloaded one of these apps that you also had on your phone, they would be automatically logged in as you and displayed with your data and settings contained within that application.

"It's just a very poor security architecture choice," says Chris Gatford, director of security consulting company HackLabs.

The Grindr app, left, and founder Joel Simkhai's profile.

The Grindr app, left, and founder Joel Simkhai's profile.

"We certainly wouldn't recommend only relying on UDID values as an authentication mechanism."

One such application that relies on a phone's UDID to log users into its service is the popular gay dating app Grindr, and its heterosexual equivalent, Blendr.

While it does not use the exact UDID – it uses a Secure Hash Algorithm based on the UDID – this number is tied to the device and therefore the data is retained.

The vulnerability affecting second-hand iPhones is similar to that revealed by Fairfax Media, publisher of this report, earlier this year, which saw Grindr users' profiles hacked and altered.

Advertisement
Apple fans display the iPhone 4 in June, 2010 in New York.

Apple fans display the iPhone 4 in June, 2010 in New York.

In January, Fairfax revealed that a Sydney-based hacker discovered a way to log in as another Grindr user, see their favourites, chat and send photos on their behalf and made use of some of the vulnerabilities to change their profile pictures to explicit photos.

However, Grindr said that only "a small sub-set" of users in Australia and the UK had been affected by the breach.

"These breaches affected 720 profiles, or .024 per cent, of a total of 3 million users worldwide," Grindr founder and CEO Joel Simkhai wrote in a letter to two US congressmen who had demanded an explanation of the company's security breach.

The company has defended its use of Hashed IDs, claiming that they protect the anonymity of their users and prevent the need for collection and storage of account information and personal data.

"We will phase out the use of UDIDs and introduce account user names and passwords in a new version that we expect to release in mid-2012," Simkhai said in the letter in March.

When contacted by Fairfax Media, the company would not comment on the specifics of its security enhancements or when they would be completed.

"

But security experts warn the fate of your old iPhone is not the biggest concern surrounding applications that rely solely on UDIDs – this could have implications for your device while still in your possession.

"It's an indicator that there are probably other poor design choices being made, which may affect security around that particular application," says Gatford.

With many employees now using their own mobile devices for work purposes, dodgy applications can impact upon entire companies, not just an individual's handset.

Installing an unstable application on a device that connects to a corporate network puts company data at risk, including files, emails, user names and passwords.

"Enterprises should take an interest in the applications that their users are using on their phones and implement some kind of control," Gatford says.

"We'd certainly be looking to people like Apple to encourage developers to secure their applications."

Apple has recently confirmed that it is now rejecting apps that rely solely on a UDID for in-app identification, and has told developers to find alternatives.

But this has been met with frustration from both developers and advertisers.

A recent study by MoPub, an international ad server for smartphone apps, indicates that developers without access to UDID data could get as much as 24 per cent less when selling ads on their apps.

Essentially, the data contained in the UDID allows advertisers to track how effective their ad is, by measuring how many people click on the ad or install the app that is being advertised.

"The move away from UDIDs threatens advertising revenue that many publishers depend on in order to support their content creation and businesses," said CEO and co-founder of MoPub, Jim Payne.

Loading

For the time being, it remains difficult for the everyday user to know just how safe and secure an application is. Unfortunately, until after a security breach is found, reported and eventually fixed, it comes down to common sense.

"Update your apps, update your devices ... always look at the reviews, always try to pick applications that have a good security track record," says Gatford. "It's easier said than done though."

Most Viewed in Technology

Loading