From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jan 14 2009 - 01:19:07 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Kugutsumen <kugutsumen (at) kugutsumen.com>

http://www.flingtech.com/2009/01/trust-issues-iphone-im-apps.html

Saturday, 10 January 2009
Trust issues with iPhone IM Apps

Apple doesn't allow applications to run in the background. A push API
will probably be released later this year but in the meantime, if you
have an iPhone and you want to use yahoo, msn, google, aim, etc. without
logging in and out all the time from Safari either you jailbreak your
iPhone and load an open SDK application or you use an IM proxy client
such as Beejive, Palringo, Fring, etc.

I have a problem with most of these IM clients. They proxy your
connection to Yahoo, MSN, Google Talk, etc. and to do so they keep a
copy of your usernames and passwords. They promise you can trust them
but there is no guaranty that they won't be hacked. Twitter admin tools
were hacked recently and many high profile accounts were compromised. Do
they have an information security management system in place? who knows?

This is really wrong! Especially when Google, for example, offers an
authentication service for third party applications and services. In a
perfect world, IM clients should authenticate with the IM provider
directly and then pass the cookie to the third party server. This would
prevent companies like Beejive and Palringo from keeping a copy of your
credentials, plus it should be possible to authorise their servers to
access IM services only -- nothing else. They shouldn't be able to
access your e-mail inbox and other sensitive services such as adwords,
google checkout, etc. etc. Another thing that is really annoying with
companies like Palringo and Fring is that they seem to hide who they
are! When you visit the Palringo website, it doesn't even say which
country they are incorporated in, or who they are, but still you are
expected to trust them with your usernames and passwords! Nothing on
their about page or contact page; extensive digging in the Palringo
press centre blog suggests that the company is based in the U.K. where
legal requirements have effectively eradicated privacy.

Fring is another company that goes to lengths to obscure their real
identity. They hide the fact that they are from Israel. They know people
aren't going to read their terms of use and notice that it is governed
by the laws of the State of Israel. Some of my friends were shocked when
I told them -- they stopped using Fring services and changed their Skype
passwords.

In France, we have an informal policy not to trust the UK, Israel and
other countries that have a long history of spying on their allies.
Recently, French government officials have been banned from using
Blackberries because RIM's push e-mail servers in the US & UK keep a
copy of everyone e-mail credentials and messages. For similar reasons,
most countries discourage the use of Checkpoint Firewall in government
and military networks because it's also from Israel.

Palringo and Fring are free to use, yet I chose Beejive, they are based
in California, one of the few states in America where privacy law is
respected and enforced. Beejive isn't free, at 15$, it's actually
expensive for an iPhone app but at least I know they make money. They
don't need to sell their users data to some spook agency or some
marketing firm to meet their financial targets.

Here are a few recommendation to minimise the risks of using IM proxying
services such as Beejive and Palringo.

1/ Never use your main free (google, msn, yahoo...) e-mail account for
IM on your mobile phone. You're probably using that account for paypal,
amazon, domain registration and many other sensitive services and you
don't want that account to be compromised. You should also have a unique
password for that e-mail address and never reuse it for other web sites
and services.

2/ Create new IM accounts that you will use on your mobile phone and
only add the people you want to talk to. You probably have a hundreds of
buddies on your main IM account and they will generate a lot of traffic
every time their status is updated. This will also optimise your usage
if you are not on an unlimited plan.

3/ If your IM client supports OTR, activate it to encrypt communications
with your peers and if OTR isn't supported you should harass your vendor
to implement it.

4/ This is obvious but you should always assume IM and VoIP are insecure
communication channels. If you need real security and confidentiality on
your mobile phone, use CellCrypt. It's been developed by competent
people and their crypto engine is open source and well documented
[snake-oil free].

Kugutsumen

--
Kugutsumen <k (at) kugutsumen.com> - http://twitter.com/kugutsumen

_______________________________________________
Please help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]