Source code for Blackberry and iPhone spyware published

At the BlackHat DC conference and SchmooCon, Nicolas Seriot, an independent researcher and Tyler Shields of Veracode have independently presented two very similar papers.
The papers analyse weaknesses in security and application delivery models for iPhone and Blackberry and provide interesting read, especially if you are looking to write the next spyware application or a bot for one of the platforms.
For me, the most interesting part of the papers is the one that shows that regardless of the implemented security mechanisms like data caging, providing applications with its own private storage, a third party application will be able to access a lot of potentially confidential data, like contact lists, sms and email storage and even the Blackberry’s microphone.
It is known for some time that the application security model where the publisher verifies the integrity of the application (like Apple, Symbian or Google) and then publishes the application through an application store is not perfect, especially in a position where thousands of applications are published every month. It is simply not possible to check that all code behaves as the application’s developers claim.
For example, it is very easy to develop a game which sends SMS messages to buy additional game credits but at the same time forwards every received SMS-message to third party effectively creating (continue reading...)