Retrievable iPhone numbers mean potential privacy issues

[javajolt]

I admit, sometimes I forget the iPhone is a phone. When a couple voicemails didn’t show up recently, I thought nothing of it until a friend asked me if I’d gotten his message—people just don’t call me that often. But a phone it is, as some users are reportedly being reminded when they get phone calls from the publishers of a free app they’ve downloaded from the App Store.

The application in question, mogoRoad, is a real-time traffic monitoring application available in Switzerland. Several commenters on the store say they’ve received phone calls from the company behind the application after they downloaded the free version, inviting them to shell out money for the full version.

As invasive and despicable as that sounds, it raises another question: how did the company get ahold of the contact information for those users? Mogo claims the details were provided by Apple, but Apple doesn’t disclose that information to App Store vendors. French site Mac 4 Ever did some digging and determined it was possible—even easy—for an app to retrieve the phone number of a unit on which it was installed.

I talked to developers who said that while Apple’s iPhone software development kit doesn’t provide a built-in way to access the device’s phone number, the information can still be indirectly retrieved with relatively little trouble, as this Ars Technica article from January explains (See Reply). Mac 4 Ever claims that this ability has been around since iPhone OS 2.1.

Seeing as there are few things I hate as much as unsolicited phone calls—well, maybe unexpected nuts in cookies—I'd call this is a serious privacy concern. Apple handles a lot of all of our personal information and claims to take it seriously, as as is evident by the privacy policy on its site. While there may not be a technological solution to this problem—much as I hate to say it, it seems like this is more part of a "feature" rather than an out-and-out security hole—Apple should still be bringing down the fires of heaven on any vendor who abuses this information.

source:macworld

W7 W8
W7 W8

I think this is a serious violation of Apple's privacy policy and could bring about so very Real and Winnable Llitigation.  Apple need to fix this Security Hole faster than NOW!

[javajolt]

Below is the ARS Technica article published in January concerning this very Real and Serious Security Breach.

W7 W8
W7 W8

There's a secret to recovering user phone numbers that does not involve the address book. Use Apple's shared global preferences. Read on to learn how.

One of the most common questions I get these days has to do with retrieving a user's phone number on the iPhone. It's a shockingly easy thing to do and yet a fairly undocumented task. That's because in every application deployed to the iPhone, Apple sneaks in a hidden symbolic link between the app's sandboxed preferences and a global preferences property list.

If you're on a jailbroken iPhone, this is easy to find. Peek in Library/Preferences with "ls -a". You'll find a symbolic link to /private/var/mobile/Library/Preferences/.GlobalPreferences.plist, which is where (among other items), you'll find a preference called SBFormattedPhoneNumber.

This preference provides exactly what the name implies: the user's phone number formatted to the current locale. For my iPhone, the format is along the lines of "1 (xxx) xxx-xxxx" but it will vary by your country and settings.

To retrieve the number, just use your standard user defaults as follows:

You can also read in the entire property list as such. Notice that I do not perform any checks to see whether the plist exists, but you can easily add those using NSFileManager:

For those wondering whether this opens up a security hole that allows unapproved access to your phone number, don't worry. Or rather, if you're worried, you probably shouldn't be using an iPhone. It's important to remember that perfectly legit applications can reach your phone number plus your entire address book as well. Applications can also obtain personal information from most of the iPhone file system, which remains readable despite Apple's developer sandbox. Just like any platform, the iPhone relies on a certain level of developer integrity (plus community policing) to stop security intrusions and overstepping information gathering.

source:arstechnica