iTunes Accounts Hacked? or, Something Worse?

So perhaps only a few have heard about the July 4th news story reporting that several iTunes accounts (30 accounts ??) across the globe were compromised by the developer of an application (or several apps).

The story alleges that iTunes was hacked and several user accounts were compromised by an application developer who exploited peoples’ iTunes accounts to purchase his applications, so much so that it elevated him to the top in his applications’ category. Now, i would suggest that more that 30 accounts would have to be involved to elevate an app to the top of its category, but that’s beside the point. It is likely that there are more accounts involved, some go not reported, some completely oblivious to their losses.

Read the story for yourself….

I’m not so convinced that iTunes was hacked by some thief brute forcing username/password combinations to crack 30 accounts out of millions. While it is entirely possible that Apple could be hacked and that data could be stolen in bulk, I think there are some alternative ideas that should be considered.

Hearing that the culprit could be a crooked application developer, I began to think about security controls (OR LACK THEREOF) and assurance measures that may exist (OR NOT) to ensure that crooks aren’t selling apps on the iTunes store that have the ability the siphon data and/or steal your identity while you enjoy the app’s cool primary function. The secondary function being the malicious, unadvertised function.

Consider the following:

1) Many apps require that you enter your iTunes password in order to install them. What if a phishing utility did the same? I will call this a PhApp? (I copyright (c) the term PhApp to me). But, how does one discern the difference between “legitimate Apple password requests” and “malicious password requests”?

2) What would prevent an installed application from having complete control over your accounts? You authorized this by clicking install and giving your password (as above in item #1). And. do any of us really analyze each time our iPhone asks us to enter our password. I think many would provide their email password without a second thought if a dialog box popped up asking for it.

3) What controls exist that prevent a crook from embedding tools inside seemingly functional applications for harvesting your contacts, bank accounts, passwords, and other sensitive info? Perhaps, the decoy application serves a legitimate purpose, there does not appear to be any controls that would prevent malicious code from being included in the functional decoy code. Is there an application code review? Nope.

I am most concerned about the above item (#3) especially because the future of mobile computing will leverage these pervasive technologies and methods. I think there needs to be some serious consideration towards protecting the data contained in these technologies from the affects of an ill-designed application.

I suppose the same problem exists in the personal computer realm, but at least your personal firewall will notify you of outbound connections. I speculate that you’d be more alarmed if a dialog box appeared on your PC right now asking for your iTunes password. But many people might not question the same event should it occur on their iPhone or iPad.

Perhaps, these controls do exist and I just missed something, but my hunch is, in its rabid growth, there are lots of controls that have been omitted or completely overlooked. I fear that the controls that could detect and prevent the above scenarios are among the missing.

Yes, I have an iPhone and, yes, I use it just like millions of others. I cringe every time that dialog box pops up for me to enter my iTunes password. Still, I give it.

As with all passwords, you should utilize complex passwords (UPPER case, lower case, non-alpha characters), no dictionary words, no dates, etc. And for goodness sake, please don’t use your username as your password, that’s just too stupid.