Forwarded from: Kugutsumen <kugutsumen (at) kugutsumen.com> http://www.flingtech.com/2009/01/trust-issues-iphone-im-apps.html Saturday, 10 January 2009 Trust issues with iPhone IM Apps Apple doesn't allow applications to run in the background. A push API will probably be released later this year but in the meantime, if you have an iPhone and you want to use yahoo, msn, google, aim, etc. without logging in and out all the time from Safari either you jailbreak your iPhone and load an open SDK application or you use an IM proxy client such as Beejive, Palringo, Fring, etc. I have a problem with most of these IM clients. They proxy your connection to Yahoo, MSN, Google Talk, etc. and to do so they keep a copy of your usernames and passwords. They promise you can trust them but there is no guaranty that they won't be hacked. Twitter admin tools were hacked recently and many high profile accounts were compromised. Do they have an information security management system in place? who knows? This is really wrong! Especially when Google, for example, offers an authentication service for third party applications and services. In a perfect world, IM clients should authenticate with the IM provider directly and then pass the cookie to the third party server. This would prevent companies like Beejive and Palringo from keeping a copy of your credentials, plus it should be possible to authorise their servers to access IM services only -- nothing else. They shouldn't be able to access your e-mail inbox and other sensitive services such as adwords, google checkout, etc. etc. Another thing that is really annoying with companies like Palringo and Fring is that they seem to hide who they are! When you visit the Palringo website, it doesn't even say which country they are incorporated in, or who they are, but still you are expected to trust them with your usernames and passwords! Nothing on their about page or contact page; extensive digging in the Palringo press centre blog suggests that the company is based in the U.K. where legal requirements have effectively eradicated privacy. Fring is another company that goes to lengths to obscure their real identity. They hide the fact that they are from Israel. They know people aren't going to read their terms of use and notice that it is governed by the laws of the State of Israel. Some of my friends were shocked when I told them -- they stopped using Fring services and changed their Skype passwords. In France, we have an informal policy not to trust the UK, Israel and other countries that have a long history of spying on their allies. Recently, French government officials have been banned from using Blackberries because RIM's push e-mail servers in the US & UK keep a copy of everyone e-mail credentials and messages. For similar reasons, most countries discourage the use of Checkpoint Firewall in government and military networks because it's also from Israel. Palringo and Fring are free to use, yet I chose Beejive, they are based in California, one of the few states in America where privacy law is respected and enforced. Beejive isn't free, at 15$, it's actually expensive for an iPhone app but at least I know they make money. They don't need to sell their users data to some spook agency or some marketing firm to meet their financial targets. Here are a few recommendation to minimise the risks of using IM proxying services such as Beejive and Palringo. 1/ Never use your main free (google, msn, yahoo...) e-mail account for IM on your mobile phone. You're probably using that account for paypal, amazon, domain registration and many other sensitive services and you don't want that account to be compromised. You should also have a unique password for that e-mail address and never reuse it for other web sites and services. 2/ Create new IM accounts that you will use on your mobile phone and only add the people you want to talk to. You probably have a hundreds of buddies on your main IM account and they will generate a lot of traffic every time their status is updated. This will also optimise your usage if you are not on an unlimited plan. 3/ If your IM client supports OTR, activate it to encrypt communications with your peers and if OTR isn't supported you should harass your vendor to implement it. 4/ This is obvious but you should always assume IM and VoIP are insecure communication channels. If you need real security and confidentiality on your mobile phone, use CellCrypt. It's been developed by competent people and their crypto engine is open source and well documented [snake-oil free]. Kugutsumen -- Kugutsumen <k (at) kugutsumen.com> - http://twitter.com/kugutsumen _______________________________________________ Please help InfoSecNews.org with a donation! http://www.infosecnews.org/donate.htmlReceived on Tue Jan 13 2009 - 23:19:07 PST
This archive was generated by hypermail 2.2.0 : Tue Jan 13 2009 - 23:25:16 PST