Prepare to freak out! iPhone developers are using apps to pass your phone number to telemarketers
Our good friends over at the French Mac site Mac4Ever have alerted us to a somewhat alarming development. Apparently a few days after purchasing the Swiss app MogoRoad, a free radar tracking application, users are reporting receiving telephone calls asking them if they’d like to purchase the FULL version of the application. When asked how the caller had obtained their number, the responses vary, but generally the person tells you that Apple sent them their number at the time of purchase.
Obviously this is not the case, as Apple does not forward any information on its customers to third parties, so Mac4Ever did a little testing using the latest iPhone SDK and discovered that it is extremely easy for a developer to send a user’s phone number to their servers without their knowledge. In fact, the hole has been around since the 2.1 firmware.
“But after deep investigation, it appears that programmers are able to retrieve the personal iPhone’s user number, with one unique line of code! This data can then be sent to remote databases, which collect personal information, without notifying the user.
We tried this method quickly with the official SDK: it works !
Readers mostly pointed out mogoRoad , a swiss application that gives traffic information for free. When reading comments on iTunes, it’s clear that a lot of people did receive the famous call as well.
Currently, the buyer explicitly gives its coordinates as Apple. Developer side, Apple is the only interlocutor, and it is impossible to have access to personal data of customers. But the access number is available since firmware 2.1, according to our survey. Moreover, it seems surprising that those responsible for the validation does not check that certain sensitive data, such as phone number, do not pass freely through the internet. This could be the beginning of a real scandal for the firm Iceberg, because nobody knows how many applications currently collecting phone numbers. “
We’ve yet to hear of any reports of this type of data collecting here in the US, but this is exactly the type of thing that tends to freak out privacy advocates (and rightly so, if true), so prepare for this one to spread across the interweb even faster than the usual anti-iPhone news.
NOT COOL! Apple needs to plug this hole up NOW!
I think this is something Apple should catch in their reviews for the App Store… I’m sure they monitor all of the traffic being spit out of the app, they should catch that the phone number is being spit out over the airwaves and not find a reason for it to be broadcast like that. They should reject any app that illegitimately beams one’s phone number out.
This is the type of thing that Apple should be looking for when they review apps for approval in the App Store. This is the type of thing that I’m interested in being protected from.
Blackberry has the same thing.
http://forums.crackberry.com/showthread.php?t=696
iPod touch’s looking better huh?
Kos said “I think this is something Apple should catch in their reviews for the App Store…”
Unfortunately this is not something that apple can catch during the review process because sent data can be encrypted. Apple however should immediately plug this hole on the SDK side.
Alex what makes the Touch any different from the iPhone? still can connect back with WiFi.
this now lends itself to what other info can the sdk send.
are my notes safe? are they getting my e-mail addresses?
are they sending e-mails from my addresses?
can they download and install programs that i don’t know about.
This is bad news any way you stay it.
Exactly why I was worried about downloading those eWallet apps that store your Visa card from the AppStore. I was always worried about other apps getting this info.
Hey,
first you store all your personal data in your iphone…
contact …calendar…music, notes, msn/jabber/icq/facebook/linkedin account
browse *everything*
and later you are worried to lose just your phone number?
LOL
A number of voice dialing apps send your whole addressbook to a server and a couple app developers have been reprimanded for doing so for no particular reason (it’s one of the reaons Apple cites for not approving Google Voice). This is more a problem of what this developer did with one piece of information from the global preferences (like I’m going to buy your app if you make unsolicited calls).
@Jim, what make the touch differen is that it isn’t a phone. If there’s a phone number in the global preferences for an iPhone, I wonder who this company is calling—it certainly isn’t iPod touch owners.
@Darren, I should hope that any app storing credit card data is encrypting it. Besides, this is about accessing global preferences, not data from other apps.
@Dave-O The phone number is only one small part of the whole puzzle what about all the other personal info users might have, full contact info, CC#’s, passwords ect…
And yes this is about other app’s data possibly being available. Take a look at the big picture here not just the tiny piece in the corner.
what is the point of storing the credit card info encrypted? if they have access to the data they know how to decrypted it. they wrote the software.