SpyPhone app harvests personal data from stock iPhones

SpyPhone app harvests personal data from stock iPhones

Summary: The iPhone app can snag geolocation data, passwords, address book entries and email account information, all using just the public API that Apple has made available to developers.


Over on Threatpost.com, Dennis Fisher has the skinny on a new iPhone app that is capable of harvesting huge amounts of personal data from stock iPhones, including geolocation data, passwords, address book entries and email account information, all using just the public API.

The app, called SpyPhone, is the handiwork of Nicolas Seriot, a Swiss iPhone app developer who found a way to abuse the public iPhone API that Apple made available for application developers. Fisher reports that SpyPhone does not need any exploits or hardware attacks in order to access the iPhone's data.

Instead, SpyPhone relies on using the iPhone's usability and depth of features to its advantage. Once an application is on an iPhone, it has unfettered access to much of the data and settings on the device, a circumstance that SpyPhone's developer, Nicolas Seriot, exploited.

The developer has posted the source code for SpyPhone online and gave a talk about SpyPhone's capabilities at a security conference this week.

Topics: Hardware, iPhone, Mobility, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • At least it is an app

    With Android Google's spy service is integrated. Which is worse?
    • Both are optional, so neither?

      [b] [/b]
  • So how would you get this on a non-jail-broken iPhone?

    This is a perfect example of why Apple has adopted what
    many here call oppressive control over what goes on the
    App Store. The only way that you could get this app on
    your iPhone would be to download it from the App Store
    (assuming you have not jail-broken the phone). And of
    course, Apple is not going to put this app in the store.

    This app simply shows the wisdom of not having a wide
    open system where anyone can place any app. Apple is
    rejecting multitudes of apps that are trying to do this very
    thing. Once in a while an app may slip through that
    should have been rejected, but it seems like the Apple
    system is working very well.

    If it is so easy to access this information through the API
    and it is not happening, then the logical question is "why is
    it not happening?" This story should be highlighting that
    even though people should be able to steal your data, it
    isn't happening because Apple's policies are working. But
    that wouldn't be a very exciting story, especially for the
    Apple haters.
    • I look at it from a different angle

      Apple has always claimed their superiority in terms of "most secure" and "most advanced". The reality is, that the only way their iPhone OS seams to be able to continue this illusion is by playing Big Brother in regards to their App Store... the end result being that more are inclined to Jail Break just to put on the Apps they actually want.

      This kind of methodology is not only completely unethical, it is no real security measure at all, but rather a smoke screen. Reality... there IS no such thing as a 100% secure/unhackable OS (mobile or otherwise) and Apple needs to take security seriously instead of simply hiding its OS offerings behind a wall of oppression and pretending that this will keep the Bogey Monsters away... the growing trend of Jail Breaking to get over that wall should truly show Apple that this approach simply doesn't work!
    • You DID read read the headline

      The part where it mentions the stock iPhones - which are also known as non-jailbroken iPhones, meaning thse stock iPhones are just as Steve Jobs and Co intended... I just felt I had to point that out...
      • I did...

        ... but he still has to get it past the AppStore vetting procedure. It is an interesting "proof of concept", but until he gets around the app aproval process, it won't actually be of much real-world use.

        It proves that there are flaws in the API, sure. But it still requires the user to install the app and it requires Apple to approve it...
  • How is this news?

    The iPhone is a mini computer. Any dofus can make an app
    that does that same harvesting on a Mac or Windows, because
    all of those things are stored in user space by necessity.
    Oh, right. Nobody's panicing, because everybody knows that
    any unknown app on any computer can in theory behave badly,
    including gathering your private data and sending them off to a
    server in Uzdontmakemelaughistan.

    Sigh. Filed under "Usual FUD by a security company affiliate."
    • You've got it all wrong!

      This is definitive proof that Microsoft>Apple, DUH!
      I mean, after all, there aren't things like this <a href="http://mediakey.dk/~cc/tap-bug-and-spy-on-a-mobile-phone-nokia-samsung-lg-blackberry/">for</a>
      <a href="http://www.blackberryforums.com/aftermarket-software/167698-spy-ware-bb.html">the</a> <a href="http://www.blackberryspyapp.com/">BlackBerry</a>, right?

      edit: formatting messed up from links ;/
      • in case you didn't know.

        Blackberry is Research in Motion, not Microsoft.
        • He has a point, of sorts

          Someone downloads and installs a malicious file on a Windows machine, its Windows's fault.

          Do the same thing on an Apple and it's the user's fault.

          The real lesson here is if you don't know what it is, don't install it.
          • Unless of course

            the code is built into something you think you do

            Apps withing apps......

            Oh the fun!
          • So this means that

            Apple's rigorous screening of apps is a good thing. Things won't be so
            with the Droid, et al, which will basically be a free for all as far as app
            development goes. Good luck.
  • No delivery method

    Without getting this into the App Store, the only delivery
    method will be to either jailbreak your phone, or to set your
    phone up as a dev machine and load it manually. Non-story.
  • RE: SpyPhone app harvests personal data from stock iPhones

    How do you know it's not happening?

    Several applications have already been pulled from AppStore for
    stealing data: Aurora Faint, MogoRoad, Storm8, ...

    How do you know your memory cards game is not stealing your

    You don't.
    • So this is why the AppStore is regulated by Apple then?

      This is exactly the point of having some control over Apps.

      A Mobile Phone App has to be able to get at personal data to do the
      sorts of things that are useful on a mobile phone.

      If there was no Apple regulation of these Apps then those Apps that
      were stealing data would still be distributed to the users.

      So fro all those of you thinking that Android or Windows CE phones
      are safer - think again.

      Now what's the advantage of a free and open App market for Android?

      How much better are the users going to be when the rogue apps are
      freely available without any filtering?

      And where exactly is the security leak news?

      BTW - no It isn't MS's fault when someone loads a trojan app. It is
      MS's fault though when millions of Windows PCs are botnetted
      through backdoor exploits and through the pif/bat/exe etc mail

      It is MS's fault when there is a necessary culture of fear that AntiVirus
      software is necessary so the users respond to alerts warning them to
      download anti-virus protection immediately, and so they download
  • RE: SpyPhone app harvests personal data from stock iPhones

    these days such kind of spyphone softwares are spreading like a virus , my gf also bought one from www.thespytools.com and she is using it on her her friends' mobiles.
  • Your data is up for sale.

    Whether it is on your iPhone or the cloud.

  • This is burglary, and it sucks.

    Why does nobody recognize this, and other spyware, as electronic burgary of salable personal property, and why is it not prosecuted under existing statutes?

    Market research is a business. They pay for this information. If they are paying anyone, it should be the poor consumer who is being mined for it.
  • RE: SpyPhone app harvests personal data from stock iPhones

    From the past releases of tens of critical security patches at single time, Apple seems to be in a situation where Microsoft was a few years ago - take secure programming practices more seriously, and do penetration testing. Escept Apple is not too eager to admit to any systemic security problems. Being a fashion symbol in consumer computing industry does however seem it unlikely that Apple would admit to its existing clients that it had done a really lousy job in terms of security. Apple will rather spin it as a "feature" where usability was chosen on purpose over security.

    I am personally upset I cannot install OS X Leopard on my mini-Mac because there is no CPU specific version for it. I'm left with a piece of hardware junk, because Apple's backwards compatibility is non-existent. They want customers to spend money for own gigantic profit margins, and leave them in the cold in the next few years. New hardware platforms make a good excuse, that customers of Apple - not having experience with the PCs and Microsoft Windows - will take years to recognize as demanding ransom. It's fair to say, Apple's customers are years behind Microsoft customers in terms of becoming aware of getting financial advantage of.
  • RE: SpyPhone app harvests personal data from stock iPhones

    Developers could always write code that accessed the contact list. (As they should be allowed.)

    If someone writes a virus, Apple will IMMEDIATELY delete the app... and the developer... and we can even file a lawsuit against them.

    That is *FAR* different than a jailbreak-virus: It can do a-n-y-t-h-i-n-g. And no one person can stop it from happening.