Thursday, July 5, 2012

“Find and Call” Trojan

Denis Maslennikov:

[Our] analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The ‘replication’ part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.

Via Jeff Johnson, who asks, “Isn’t the review process supposed to protect us from this?”

7 Comments RSS · Twitter

There's no way the review process will protect against malicious intent. For all we know, sending the contact list might be trigged by a flag from the developer's server, and that flag could be off until the app is effectively in the store. The reviewer would never have a chance to catch what was going on.

I'm not saying this is how this app passed. But if it was, Apple certainly couldn't catch it short of doing an extensive code review, but even then it's hard to review the code since developers don't share the source with Apple.

@Michel Exactly. That’s why some of us have been critical of the review process all along. I read about apps and updates submitted more than a month ago, important bug fixes delayed for weeks—and for what? It’s not possible for Apple to protect users.

"even then it's hard to review the code since developers don't share the source with Apple."

Well, sharing the source code with Apple is probably the next step.

Anyway, the real problem is that the review team is not technically qualified to review what an application is doing.

And, when they use Apple's internal tools to check what an application is doing during its execution, they do not understand what these tools report. Trying to explain to them, politely, that they are plain wrong is a dead-end. Because, you know, they know better than you what your application does.

This is one quadrant. Here are the others:

2. Some people are making money on apps that do nothing but, say, enable Emoji keyboards. They pretend that they "install SMS smileys!" and Apple let their lies stand.
3. Some people are making awful, buggy apps.
4. Some people can't be making useful apps because they don't rub Apple the right way. They can't include useful features and they have to go through Apple to make money.

It's as hard as ever to justify the policy with anything else than "Apple just wants to control this, okay?". What little protection you get from extra review obviously doesn't weigh up other downsides or maintain quality.

@bob Their internal tools got confused, and they kept rejecting my app because they thought it used Java!

I think if the small yet very vocal portion of developers who do nothing but complain about the review process were old enough to have owned a Palm OS device, we would hear a different tune. Stop complaining, the rules are the same for everyone. Or continue to complain but start acknowledging every time you install an app and it doesn't break your phone.

@Ölbaum I get the impression that it’s the older folks who complain more about the review process. I remember compiling software for the original Palm device—when it was called the Pilot. I’m actually not sure that the rules are the same for everyone.

Leave a Comment