Storm8 makes games like Vampires Live and iMobsters, that operate very similar to the popular Facebook game "Mafia Wars," including letting you spend real money to get better weapons and more energy in the game. Many of Storm8's titles are top iPhone game app downloads, probably because each game says that you can get extra points in it if you download one of their other games.
BoingBoing reports that the number harvesting was hidden until the company noted it in August, chalking it up as a bug. However, the lawsuits says that only "very specific and specialized software code" could do that. Storm8 has not returned BoingBoing's requests for comment.
Lawsuit text (PDF)
iPhone game dev accused of stealing players' phone numbers [BoingBoing] (Photo: C?vin ?)
]]>"An app could harvest data but it cant damage the phone itself."
The DATA is what is WORTH stealing - you realize that right? Corporate email, documents, etc have value and can be sold to someone - no one is interesting in renting time on a cell phone botnet or bricking phones just to be malicious. If someone is targetting a cell phone it is because they want they data on it, and this article is a great example of that.
It is, incidentally, why folks that point out that a layered permission model is some kind of security silver bullet and thus why linux/OS X are more secure are off base (and not just because the NT line of Windows has a similar permissions model). Malware produces revenue in two ways - taking data that can be stolen and renting computational time (for SPAM zombies, brute force attempts to break passwords or encryption keys, etc). The former generates by far the most money for malware, and generally the latter is used to get the former. The layered permissions model does nothing to protect a user's data, except from other users on the system. Anything executing as them has access to the same data they have access to. Data is the currency of the malware trade, so the fact that a user land iPhone exploit can "only" get data is really no comfort at all (and completely ignores the multitude of elevation of priviledge attacks possible to get root).
]]>I don't think you understand malware very well. It is true that I can't get a trojan by downloading and running arbitrary applications off of the web (as this article points out, you can still get a trojan, you just have to go through Apple to do so) that is by no means the only way malware propogates.
Vulnerabilities in a number of iPhone components can lead to arbitrary code execution - this is EXACTLY how iPhones are jail broken. However what is being exploited for argueably benign purposes (or at least purposes that the owner is cool with) can also be exploited for malicious purposes. The various Safari vulnerabilities could just as easily be used to execute email harvesters as they could for unlocking the phone. Safari isn't the only entry point - Apple is terrible about documenting what they actually patch in OS updates but if you read through them it is still possible to infer that the iPhone wifi drivers and bluetooth drivers have both had buffer overruns that could be used to execute arbitrary code (from a purely academic standpoint it would be interesting to watch the spread of iPhone viruses distributed this way via compromised airport access points, and then from iPhone to iPhone - I suspect it would almost perfectly mirror human pathogen models since it would be proximity based. Note, not advocating it, simply finding the idea interesting). Similarly, their media codecs are REGULARLY compromised - exploits against Quicktime is one of the leading causes of Windows malware propogation - and it is entirely possible to simply alter the exploit to target the iPhone with a malformed media file instead.
There is absolutely nothing about the iPhone design that makes it bullet proof to code execution vulnerabilities - quite the opposite when you look at the fact that most of the components share code with the desktop and also regularly have vulnerability advisories released against them.
]]>One line of code pulls the number, and they are already sending data back to their servers. It is certainly wrong of them to have done it, but it requires nothing custom or specialized.
]]>@fantomesq: Android has a kill switch, even Windows Mobile apps installed via the new Windows Mobile Marketplace can be remotely deactivated and uninstalled.
]]>I am rather surprized this company did this in the first place, they had a good thing going there, revinue from several games that sold rather well. What possesed them to steal the numbers? Anyone in their right mind knows they will eventually get caught, then the gravy train is over.
]]>Another reason not to get an iPhone. Funny. Because I read that as, "I have sour grapes."
]]>It's surprising to learn that something like this is possible, espescially after Apple is supposed to "review" all apps before allowing them into the App Store.
I hope Storm8 gets what's coming to them.
]]>The "such protections" I referred to included 1) a review process for the apps that can reject apps, 2) apps distributed from a single (controlled) source and 3) the ability to remotely shutdown rogue applications that slip past the aforementioned protections. I believe that Android lacks all of these.
My point was NOT that Android sucks - its not bad for an early revision (although the hardware leaves a lot to be desired) - but rather that the poster was incorrect in asserting that the iPhone was now somehow vulnerable to viruses because one company slipped an app through. Its simply not.
]]>Please do some reading before you start posting about how amazing the iphones security is when compared to other smart phones because you are simply wrong.
]]>I dont know how the iphones app store works but on the Android app store before you download any app a security warning pops up and tells you what the app tries to access on your phone, for example.
Full Internet Access
Contact Data (reads contacts)
Messaging (can read and or send messages)
Thats just a couple of the warnings but it always make it clear what an app can do, so if you dont want to risk it then you dont download. Also it has an option to report malicious apps which Google reviews fairly quickly and removed them if needed.
Again unless a user has rooted their phone they dont have to worry about damage to the device. Even if they have rooted the phone they have to grant the app super user access (on android anyways) before it can do anything that effects system level files. When an app needs to run as a super user/admin a OS prompt pops up and you have to grant or deny its access.
]]>Which part?
The idiotic, scammy company trying to pass off harvesting user data as a software bug?
Or the assholes with too much money on their hands that actually pay for in-game content instead of saving it or donating it to charity?
There's a reason it's illegal in games like WoW. It ruins the experience for those who play the game legitimately or those who don't have the cash to buy a million-bazillion Gold for $1,000. And this company is doing it intentionally...
]]>I don't think it in anyway suggests that programmers in general are more likely to be sued. This is, after all, one developer out of tens of thousands on the App Store that got sued because he earned it.
Moral of the story? Don't be a dumbass and you shouldn't get sued.
]]>@jaket: Well the simple solution would be to not develop applications that scrape data from the user's phone and send it back to you (without their consent if the application is designed to do that for some reason).
Most free or paid applications at least on the iPhone are rather harmless. Worst case is that it might freeze your phone, and the user needs to restart or restore the phone. Other than a minor inconvenience, there were no damages and no violation of privacy, therefore, no grounds for a lawsuit (just in my personal opinion which is worthless as I am not a lawyer)
]]>@admiral_stabbin: Who said anybodys child was named Storm8?
]]>@Covertghost: not without violating the ToS that you agree to when developing an app.
]]>@jdmba: at least facebook discloses that its going to access profile information before they take it. not cool, but then again you dont have to use programs on facebook that do this. iphone apps doing it without you knowing is totally different
]]>However, as a budding Android developer, I'm hoping that the "sue the programmer" meme doesn't take root.
I'm happy to spend a few hundred hours writing an app that might not *make* much money. But if there's even an outside chance that the app might *cost* me several thousand dollars in legal fees (and perhaps a bankruptcy-inducing judgment if the lawyer finds the jury's hot button), I think I'll find another hobby.
]]>Viruses are a whole other issue. There is no manner in which the iPhone can surreptitiously download, run and distribute an unapproved app so no threat of viruses... again on the other phones, no such protection... and do I have to mention, you have a full backup of your iPhone/iPod Touch on your computer, so worst case scenario, you wipe it and reload? The other phones? Yeah, you're out of luck.
]]>@harknell: Could you not just create a script that auto-opts in the user though?
]]>Serves them right. Unless its disclosed somewhere, but i assume thats against apples ToS anyhow considering its an exploit. I wonder what they planned on using the phone numbers for. Spamming txt messages when new apps become available? Seems to me like that would get them caught though. I cant see a good reason for this.
]]>This has been at the back of my mind, and I thought of it because the apps can be made by anyone at all.
Apple may lose their, "We're better than PC because you don't get viruses!" motto soon.
I guess I really do have to be careful about what I download to my iPod touch. Who knows what kind of backdoors they could put into my iPod. That would really suck too because my whole life is on that thing.
]]>