Dhanjani found that in mobile applications for the iPhone that are actually just mobile web conduits, hackers and identity thieves can use the iPhones limited real estate to hide fake url’s and do spoof sites. The concept is fairly simple. Take Bank of America for instance. BOA’s mobile app is actually just a link to their mobile website. When an iPhone user clicks the app it takes them to BOA’s site and hides the Safari URL bar so it looks more like a dedicated app.
Dhanjani says, and most would agree, that malicious app developers and even mobile web developers could easily implement the same code used to block the url bar for any site. Some quick reverse programming of any high profile app like BOA could easily be replicated and then off-shoot your personal information back to their own servers.
Dhanjani says he did report his findings to Apple “I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,”. Dhanjani is also quick to offer up some remedies “Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view,” he said. “Perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar…”
As the popularity of all smartphones continues to rise, and the holiday shopping season in full swing, Apple should probably take this problem seriously.
Source: Computer World