TrueCaller Vulnerability Reenforces Doubts on Apple App Store Certification
On April 28th, 2012 a vulnerability was discovered in TrueCaller, an iPhone application that as worldwide number search and spam filter on Apples iPhone platform. The path to rectifying this issue has reenforced doubts about Apple’s ecosystem (more on this below).
The vulnerability hinges on an feature known as “Enhanced Search” that is required for the user to be able to search numbers. When the user has opted in, he is warned that his contact information and address book will be shared with other users as an improvement to the TrueCaller Database. Privacy issues involving friends sharing your information aside, it seems that this process was done using a cleartext http post. From a security standpoint, this is bad behaviour for the following reasons:
- Privacy Concerns - Allows 4th parties to intercept post updates and build their own database not governed by TrueCaller’s Privacy policies and security mechanisms.
- Fake Data - Fake data can be uploaded by rogue parties. While this may not seem like a big deal from a security standpoint at first (TrueCaller’s database integrity aside) situations like these could lead to character defamation and in the most extreme cases false arrests.
- Fake Access - Users could potentially use this to gain access to the database without having to agree to TrueCaller’s Privacy policies, and maybe able to use this mechanism to gain access without accountability.
To their credit, TrueCaller was reportedly very responsive to contact from security experts, and upon clarification and testing had a fix submitted to the Apple App Store for re-certification in just 3 days. One would assume this fix just involves a slight modification of the protocols and adding encryption to the data post, perhaps simply through the use of SSL. One imagines this would not be difficult as most of TrueCaller’s other client-server interactions are encrypted. What should be the real surprise here is that Apple’s re-certification process took 17 days to complete.
The Real Deal
There are two real problems here. One is that the nature of the fix took 17 days for Apple to re-certify. From the platform’s point of view the application’s behaviour should have experienced no change. One of the posts has simply gone from clear-text to encrypted, which the network stack should be agnostic about. Also, seeing as this error could have resulted in a loss of private information it should have been prioritized. Given the highly-controlled, homogenous nature of the ecosystem, as lauded by Apple supporters, this kind of regression testing and certification should have only taken hours.
The more annoying problem is that few in the security industry are surprised. As stated before, one of the benefits of a homogenous ecosystems is usually a quick ability to certify and deploy patches. This is because there simply aren’t a lot of variables to check if you only have a handful of hardware configurations and essentially two very similar and derivative code-bases. In practice, the agile and very responsive actions to be taken when threats appears, simply don’t appear to take place. Over the past few months a number of vulnerabilities have been exploited, that while fixed, were never certified and deployed. Additionally, many more vulnerabilities go unattended, some for several years, until the issue makes the press and and it becomes a brand issue. This also has blow-back on third-party developers who may not appear to be responsive to security concerns, simply because fixes are caught in the re-certification process. These developers, understandably, are unwilling to raise the alarm as their applications might get compromised and they could easily be black listed from the App Store.
It is beyond the scope of this write up to say whether these problems are a result of insufficient resources, corporate culture, or poorly designed and implemented platforms. However, the result is clear. There is a growing, and accredited, uneasiness revolving around the frivolous way security is approached at Apple.