AOH :: IS1588.HTM

Flingtech: Trust Issues With IPhone Apps




Flingtech: Trust Issues With IPhone Apps
Flingtech: Trust Issues With IPhone Apps



Forwarded from: Kugutsumen 

http://www.flingtech.com/2009/01/trust-issues-iphone-im-apps.html 

Saturday, 10 January 2009
Trust issues with iPhone IM Apps

Apple doesn't allow applications to run in the background. A push API 
will probably be released later this year but in the meantime, if you 
have an iPhone and you want to use yahoo, msn, google, aim, etc. without 
logging in and out all the time from Safari either you jailbreak your 
iPhone and load an open SDK application or you use an IM proxy client 
such as Beejive, Palringo, Fring, etc.

I have a problem with most of these IM clients. They proxy your 
connection to Yahoo, MSN, Google Talk, etc. and to do so they keep a 
copy of your usernames and passwords. They promise you can trust them 
but there is no guaranty that they won't be hacked. Twitter admin tools 
were hacked recently and many high profile accounts were compromised. Do 
they have an information security management system in place? who knows?

This is really wrong! Especially when Google, for example, offers an 
authentication service for third party applications and services. In a 
perfect world, IM clients should authenticate with the IM provider 
directly and then pass the cookie to the third party server. This would 
prevent companies like Beejive and Palringo from keeping a copy of your 
credentials, plus it should be possible to authorise their servers to 
access IM services only -- nothing else. They shouldn't be able to 
access your e-mail inbox and other sensitive services such as adwords, 
google checkout, etc. etc. Another thing that is really annoying with 
companies like Palringo and Fring is that they seem to hide who they 
are! When you visit the Palringo website, it doesn't even say which 
country they are incorporated in, or who they are, but still you are 
expected to trust them with your usernames and passwords! Nothing on 
their about page or contact page; extensive digging in the Palringo 
press centre blog suggests that the company is based in the U.K. where 
legal requirements have effectively eradicated privacy.

Fring is another company that goes to lengths to obscure their real 
identity. They hide the fact that they are from Israel. They know people 
aren't going to read their terms of use and notice that it is governed 
by the laws of the State of Israel. Some of my friends were shocked when 
I told them -- they stopped using Fring services and changed their Skype 
passwords.

In France, we have an informal policy not to trust the UK, Israel and 
other countries that have a long history of spying on their allies. 
Recently, French government officials have been banned from using 
Blackberries because RIM's push e-mail servers in the US & UK keep a 
copy of everyone e-mail credentials and messages. For similar reasons, 
most countries discourage the use of Checkpoint Firewall in government 
and military networks because it's also from Israel.

Palringo and Fring are free to use, yet I chose Beejive, they are based 
in California, one of the few states in America where privacy law is 
respected and enforced. Beejive isn't free, at 15$, it's actually 
expensive for an iPhone app but at least I know they make money. They 
don't need to sell their users data to some spook agency or some 
marketing firm to meet their financial targets.

Here are a few recommendation to minimise the risks of using IM proxying 
services such as Beejive and Palringo.

1/ Never use your main free (google, msn, yahoo...) e-mail account for 
IM on your mobile phone. You're probably using that account for paypal, 
amazon, domain registration and many other sensitive services and you 
don't want that account to be compromised. You should also have a unique 
password for that e-mail address and never reuse it for other web sites 
and services.

2/ Create new IM accounts that you will use on your mobile phone and 
only add the people you want to talk to. You probably have a hundreds of 
buddies on your main IM account and they will generate a lot of traffic 
every time their status is updated. This will also optimise your usage 
if you are not on an unlimited plan.

3/ If your IM client supports OTR, activate it to encrypt communications 
with your peers and if OTR isn't supported you should harass your vendor 
to implement it.

4/ This is obvious but you should always assume IM and VoIP are insecure 
communication channels. If you need real security and confidentiality on 
your mobile phone, use CellCrypt. It's been developed by competent 
people and their crypto engine is open source and well documented 
[snake-oil free].

Kugutsumen

-- 
Kugutsumen  - http://twitter.com/kugutsumen 


_______________________________________________      
Please help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html 

Site design & layout copyright © 1986-2014 CodeGods