A Swiss iPhone developer has published research that indicates that security vulnerabilities affecting the iPhone are not limited to jailbroken iPhones. Developer Nicholas Seriot has created a proof of concept app called SpyPhone as a demonstration of how Apple’s own APIs could be misused to read or edit a user’s address book or gain access to a user’s web surfing history or recent location information. For such attacks to succeed, a malicious application would still need to get past Apple’s App Store approval process to be available for non-jailbroken iPhones, however this is not outside of the realm of possibility as such an app would not require the use of any exploits or third-party APIs, and the spyware portion could be hidden by delayed activation or an encrypted payload.
The security researcher detailed these potential iPhone privacy risks in a talk he delivered in Geneva on Wednesday, during which he also outlined possible defense strategies, suggesting that Apple should design the iPhone OS to require users to authorize read or read-write access by iPhone applications to potentially sensitive on-device information such as the Address Book, add firewall functionality to the device and ensure the keyboard cache is not as readily available to third-party applications. (via The Register).