Tapulous Users Beware!
by Vaelek on Jul.15, 2009, under Applications
A number of “exploits” have surfaced for the iPhone over the last few months, but this is one I would consider of significantly higher risk than say, being remote controlled via SMS. It seems Tapulous (Makes of Tap Tap Revenge, Twinkle, Friendbook, etc), uses UDID’s for authentication, and only UDID’s. What’s a UDID? Well, it’s a Unique Device Identifier. As the name suggest, it is unique to your device, or at least in theory. There is a tool available via Cydia (Anyone who has installed Installous has this tool) that will allow a user to change their UDID. What this means is that anyone who may happen to get ahold of your UDID can potentially change their device to match yours, and effectively gain access to your Tapulous account. If you have it set up with Twitter, Facebook, etc, your accounts have just been compromised.
How would someone get your UDID? It’s actually easier than it sounds. Cydia sends the UDID when communicating with the repo’s. As such someone could easily setup or modify a repo to collect this information. Going a step further, I imagine it will only be a matter of time (if such a thing has not already happened silently) until apps show up in Cydia that appear legitimate but would for example, send your UDID elsewhere when executed. There may be countless other ways of obtaining the UDID that haven’t been thought of yet.
Tapulous is aware of the issue and are working to resolve it, which will likely entail changes to the authentication in all of their apps. My advice at this time, if you have a Tapulous account, cancel it or change your Twitter/Facebook passwords until the issue is resolved.
Now, if you are a Tapulous user but do not have Twinkle or Friendbook, the worst that could happen is someone may mess with your Tap Tap Revenge scores, if those are even stored, I have not played it personally.
It doesn’t appear that Tapulous is publicly acknowledging this vulnerability, (I can’t bring myself to call this an exploit as it is a failure in the design of the authentication system, or lack thereof), but you may want to watch their blog for more news or keep an eye out for updates in the AppStore.
July 15th, 2009 on 11:52 am
So my phone is compromised because I use Cydia? Is there a way to protect myself from these exploits?
July 15th, 2009 on 1:41 pm
Right now the best advice I can give is to only use repo’s you trust, and always pay attention to what you’re installing. There are a few lone releases that pop up but I would say the majority of apps available on Cydia, at least the popular ones, are by known reputable developers. If you’re concerned, the best thing to do is stick to apps only by established developers for the time being.
As it is right now, Tapulous accounts are the only known thing that could be compromised. If anyone else knows of situations where the UDID is used other than provisioning development devices, please post your comments here or in the forums.
July 18th, 2009 on 3:17 am
Hi there,
Not sure that this is true:), but thanks for a post.
Elcoj
January 4th, 2010 on 11:23 pm
so if i don't have cydia i'm fine?