Friday, April 23, 2010

iPhone OS Security

Louis Gerbarg on Core Location:

In iPhone OS 4.0 this is being greatly improved, so much so that the improvements were demoed in the keynote. In 4.0 there will be a status bar indicating that an app has recently used CoreLocation, it will be possible to look at the list apps to see what has used your location in the las day, and turn on and off their access. All of this works without changes to the existing APIs, so all existing apps the CoreLocation will be effected, resulting in much better security of the user's location information, and the ability to notice and identify if something is using the data without your consent.

and Address Book:

By exposing the address book database in this way not only has Apple introduced a way for applications to read all of the address book data without going through the AddressBook API, they have also exposed an attack vector for applications to insert poisoned address data that can be synced back to other device, or even attack other applications inside their own sandboxes.

It’s odd that applications can’t directly share files with one another, but yet any application can read and write to the address book (and transmit it over the network), with no audit trail. On the Mac, I am at least somewhat protected by fine-grained backups and Little Snitch.

Comments RSS · Twitter

Leave a Comment