Over on Threatpost.com, Dennis Fisher has the skinny on a new iPhone app that is capable of harvesting huge amounts of personal data from stock iPhones, including geolocation data, passwords, address book entries and email account information, all using just the public API.
The app, called SpyPhone, is the handiwork of Nicolas Seriot, a Swiss iPhone app developer who found a way to abuse the public iPhone API that Apple made available for application developers. Fisher reports that SpyPhone does not need any exploits or hardware attacks in order to access the iPhone's data.
Instead, SpyPhone relies on using the iPhone's usability and depth of features to its advantage. Once an application is on an iPhone, it has unfettered access to much of the data and settings on the device, a circumstance that SpyPhone's developer, Nicolas Seriot, exploited.
The developer has posted the source code for SpyPhone online and gave a talk about SpyPhone's capabilities at a security conference this week.