In the past couple of weeks, there has been some breathless reporting about how iOS users could now install pirated apps without having to jailbreak their phones. This was made possible by certain Chinese app store-like services.

Some of the reporting has been wondering how this was possible, but anyone with knowledge of iOS enterprise deployments knew what was going on. The same features which allow enterprises to deploy their own custom apps have now been abused to deliver pirated apps to users.

This “newly discovered” method represents one of the methods to get malicious/fake apps onto the iOS devices. However, because the iOS sandbox has not been compromised, what each app can and can’t do is rather limited. The iOS app may try to send out some personal privacy information to external server which creates privacy data leakage problem.

Read the rest of this entry »

Last week the news sites were full of headlines proclaiming that the “first iOS malware” had hit the iOS App Store. Just one problem with those headlines: they weren’t 100% accurate.

The “Find and Call” app – the Android version of which we detect as ANDROIDOS_INFOLKFIDCAL.A, and the iOS version as IOS_INFOLKCONTACTS.A – has only one key feature. It sends the user’s address book to a remote server without the user’s explicit say-so. Simply put, that’s a clear violation of privacy and apps shouldn’t be doing it. Period. In this particular case, the people in the address book were spammed, but that was done by the remote server, not the “malware” itself.

But there’s one problem. Legitimate apps have done exactly the same thing before. The social networking app Path was famously caught doing this earlier this year. Path came under tremendous fire for breaching user’s privacy so blatantly.

This was enough of a concern for Apple that the iOS 6 beta explicitly requires user consent every time before an app can access/send a user’s contacts, calendars, reminders, or photos.

The fact is that enough legitimate apps want access to user’s behavior that the practice of sending a user’s calendar information to a server isn’t instantly thought of as “bad” behavior anymore, because so many people let their apps do it. Unfortunately, the act of sending a user’s contact list has been “legitimized” by these apps, even if it remains, strictly speaking, odious behavior. In fact, “Find and Call” did explicitly ask for access to the user’s contact list:

Users should ignore the exaggerated hype about this “first iOS malware” to think about what it really did – it gave an app (and, implicitly, the people behind that app) access to their contacts. Think about how many apps ask for similar permissions – usually in the guise of sharing with or finding your friends/contacts. This incident should serve as a wake-up call to users as to exactly who – and how often – they’re giving their information to.

Apple deserves kudos for giving users the tools to help manage their personal information. Other mobile OS vendors should follow suit to provide all users with methods to protect their privacy.

Many of us are becoming increasingly familiar with the power and ease of using modern mobile OSs like iOS, Android, Windows Phone 7, and WebOS. These allow users to browse, check their email inboxes, use apps, and connect with friends with remarkable ease.

It shouldn’t be a surprise then that more and more people want to use these same platforms in the workplace. In many cases, the devices are owned and paid for not by the company but by the employees themselves. Many IT departments—faced with manpower and financial constraints due to the economic climate—agree. A Computerworld survey in September 2010 suggested that 75 percent of all organizations already support the use of employee-owned mobile devices, as this presents a win-win situation. The employees are happy in that they get to use the devices of their choice and the employer is happy as the employees shoulder the mobile device and subscription costs.

Many companies now support multiple mobile platforms (e.g., relatively new ones like iOS and Android OS) besides the traditional enterprise platform—BlackBerry OS. It’s also worth noting that whether or not devices are officially supported or not, they will still be used on office networks. In fact, according to a 2010 survey, 41 percent of IT professionals said that unauthorized devices already connect to their networks.

What Kind of “Support” Do Companies Offer?

The degree of “support” offered for these platforms widely varies. Enterprise-oriented platforms traditionally featured strong mobile device management (MDM) capabilities. System administrators can control many aspects of the phones—what settings should be used, what kinds of password are safe to use, what applications can be installed/run, and so on. In an enterprise environment, this was perfectly normal and expected, as desktops are similarly managed.

However, that simply is not the case for employee-owned devices. The platforms themselves may include the necessary features for MDM, albeit one key difference—phones sold to consumers don’t have these features properly set up. IT departments are thus left with two options—provide limited “support” for these devices (which, more often than not, is limited to allowing access to internal email servers) or get their employees to allow MDM onto their self-owned devices. One is easy and cheap to do; the other, more difficult and expensive. Which one will end up being done?
Read the rest of this entry »