On Developers and iOS Security

Apple, as a proprietor of computer operating systems, has always taken security and privacy very seriously. Though some argue its operating systems benefit from “security through obscurity” the number of exploits in the wild has continued to hover at or just above 0 for both Mac OSX and iOS. That’s pretty amazing given the challenges Microsoft has historically faced, and compared to the exploits that have begun cropping up on Android.

However, an operating system is only as secure as the apps users run on it. Apple’s forced sandboxing of iOS apps (and soon Mac App Store apps) and review process thwart most would-be rogue apps and remote hacks, but it can’t prevent developers from making poor implementation decisions that compromise a user’s security.

The other day I was recovering some accidentally deleted photos from a recent iTunes backup and came across something rather disturbing. Quicklytics, a Google Analytics app, was storing my Google password in plain text in the documents folder of the app!

This isn’t the sort of security issue a remote hacker could exploit (at least not without first compromising iOS itself), none the less, I immediately changed my Google password and emailed both Apple and the developer. Turns out, Google Analytics used to require token authentication, which means the password had to be stored within the app, but it certainly didn’t have to be stored in plain text, in the documents folder!

Eduardo Scoz, the developer of Quicklyitcs emailed me back within hours and was already working on a fix. He requested an expedited review from Apple and the updated app is already live in the App Store. Unfortunately, there are quite a few other Google Analytics apps that have not been updated. If you use an iOS app to access Google Analytics, you may want to use the iPhone/iPod Touch Backup Extractor or PhoneView to check that your password isn’t being stored in the clear.

Fellow developers: please, please, please, take more care with user passwords and other exploitable data. The sense of security Apple has fostered with iOS benefits us all, but a few careless developers can quickly erode that trust.