Stealing data, with Apple’s Blessing


I have a subscription to Pinch Media’s “New App” RSS feed.  As a result, I see literally every single new app that shows up, and I test many if not most of them.  Yesterday, I downloaded a new toy app and gave it a whirl.  The app is called “A.K.A”.  It takes your name, and gives you your Pirate, Jedi, and Porn Star name.  Very simple little app, and quite entertaining.

If you want to check out the app, here is the iTunes store link.  Because iTunes conveniently provides a link to this information, it’s easy to tell that the author, Robert de Jong, has not published any other apps.  Further, one whois and a google search later, and you can tell that the author, based in Colorado, isn’t either of the other two Robert de Jongs out there; one is in Ohio, the other in Canada.  Oh, his “company” also has a website, though it looks like a sole-proprietership, meaning there has been no paperwork filed with the government to form an LLC or corporation.  Further evidence: I couldn’t find a DEJOware business listing, according to the Colorado business registry.  On his site, the only contact link is a mailto, which will allow you to send him an email.

So, where does that leave us?  Well, let’s look at the application itself.  I mentioned earlier that it takes in user input, and gives you back your “other” names.  Let’s give this a whirl, using some fake information (why will be covered in a minute).  Starting the app up, we go immediately to the Pirate name screen.  First and last name are requested.  “Johnny Appleseed” is already demo’d on the iTunes store, so let’s do another name.  How about “Robert de Jong”?  I put it in, and get back the pirate name of “‘Salty’ Squid Flint”.  Stripper name time!  Robert de Jong, in the stripper world, would be “Fantasia Heavencocker”.  Wow.  Now Jedi name time.  Hitting this tab expands the input, and, again as seen on iTunes, more information is requested.  First, last, mother’s maiden, and birthplace are requested.  Robert’s mother’s maiden name will be, for this demo, “Wozniak” (sorry Steve), and his birthplace will be Boulder.  I get back the very Jedi name of “Dej-Ro Wozbou”.

Dej-Ro Wozbou is parts of each element of data.  Three from last name, two from first name, three from mother’s maiden, and three form birthplace.  de Jong Robert Wozniak Boulder.  See?

So, why would I use false information here?  Here’s what just happened: a previously unknown developer has created an application and published it with Apple’s blessing.  The application asks for your information, and does… we know not what with it.  The app could send your information, literally, anywhere.  Further, the information is all user-supplied, so there’s nothing that would make Apple unhappy (like rifling through your address book for your information).  No, we, the users, provide all the information it asks for.  And that’s the problem.  We just provided First Name, Last Name, Mother’s Maiden Name, and Birthplace to this application and, potentially, to this developer.  If those four pieces of information sound familiar, it’s because those are usually what stand between you and retrieving an account password almost anywhere.  “But he doesn’t know my username!” you cry.  Actually, most people will use FirstnameLastname as their account username, if it’s an important account.  Like banking.  Think about that.

Now, my disclaimer and CYA: I don’t know any of this for sure.  I haven’t monitored the network traffic to see if A.K.A is calling home.  I’m not even accusing A.K.A. or Robert de Jong of doing anything malicious.  The A.K.A. app happens to fit a model that could be used to steal information.  It is also “trusted” because Apple has blessed it.  Before you willingly hand any information over to an application, trusted or not, consider what could be done with that information.