And by the bye, this is absolutely the most insanely coolesty awesomelyness game ever. A man-ified Bejeweled RPG that kicks more ass than Chuck No-list. Does it get any better?

madog

@Tirkish Delights: I see dead people and your your friends contact information.

madog

meh, dont really care. i'll keep playing

MrBlahBlah

Is it possible that if the iPhone had been an open platform to begin with this issue/future issues wouldn't even exist?...I mean 10 weeks for a whole game that is good to boot...damn

MilktruckHeist

I have to get on board with being pissed off with Apple for allowing this. I assumed that with the SDK and review process they were thoroughly reviewing the code submitted and that if an application was accessing your contacts/mic/camera/location/ect they would be able to pinpoint why it was doing that and where the data was going.

Apple has told it's users that it is carefully reviewing the safety and security of it's apps. If they aren't, that's fine, it's just like Windows Mobile, I'll be extra careful download apps, but if they tell me they are carefully reviewing them and Supermonkey Ball is accessing my contacts/internet history or anything without any reason for the end user to believe it should be, that's a problem.

jmckee

Like I fucking care if they crank call my friends. I hate their guts anyway.

Yea, ok, for all of the important executives with hundreds of private contacts, who ALSO play Aurora Feint, this is important. It's equally unlikely that Paris Hilton plays this game, so no worries to all her celeb friends.

michaelwiggins

[video.google.com]

92BuickLeSabre

agreed! all this criticism should be aimed at apple. If their already insanely restrictive SDK junk allowed this, then the AF programmers shouldn't be blamed for using it.

UnknownElementX

Actually shouldnt we be bashing apple for this? the sdk allowed them to do it. so this is a huge security breach fro mapple themselves. This means a virus sort of program can be written which acts like a game but is getting your data.

I think apple should be more to blame

majortom1029

apple frucked up. it passed their stringent tests and made it to the apple store. how many other applications have expoits like this? 2.0 was rush rush rushed!

pure241

AF is an awesome game and I look forward to its return. The programmers are surprisingly just hard working joes who suddenly found themselves on the big stage with a couple of unfinished areas in the game. I'm sure with either enhanced security or a lack of the "community aspect", AF will be back.

anyone who claims that this was spyware, just read their posts on the AF board and you'll eat your words. these guys are involved and concerned and don't deserve anything but a pat on the back for one of the best games on the iphone by far.

UnknownElementX

I didn't think about this until this article. It would be very easy to put a program like this on an iPhone for scrupulous means. I am not saying these guys did this. But then who knows anymore? How safe is the iPhone against stuff like this? Is Apple the only group or agency that checks this stuff out? Echelon is watching and you are cheating on your hi scores...

hardenstuhl

@Tirkish Delights: and also...

"What does a scanner see? I mean, really see? Into the head? Down into the heart? Does a passive infrared scanner … see into me - into us - clearly or darkly?"

Tirkish Delights

Yeah, no one should beat anyone up about this.

Brian Lam

@Substance_D: seconded.

Tirkish Delights

@Substance_D: I vehemently disagree with you that people having access to your unencrypted contacts, phone numbers and such is not a big deal. However, I am in agreement that this actually make the guys sound like quality dudes that just f'ed up.

LJN

Oops!

Having said that, I don't see why this game won't reappear soon. Adding encryption or disabling this feature altogether wouldn't be all that difficult, so there's no reason for them not to fix this and re-release it.

IphtashuFitz

I like them for this, they sound like nice guys. I mean, they released a quality game at an unbeatable price, what's not to like? I don't understand why it's so bad for someone to see your contacts...worst case scenario is someone saying "OMG, user Substance_D has someone named Erika D on his contact list! Should I prank call her up? I can even see the number since these servers are unencrypted!"

Wtf, who cares.

Substance_D

I actually wouldn't mind going to an OMGWTFBBQ

Kaiser-Machead's Chips Ahoy!

ENEMIES 96%
ITEMS 80%
SECRETS 86%

PRESS ANY KEY TO CONTINUE

Griffehpoo

A shame, I downloaded this yesterday and it is really, really fun.

leetXcore

Arent forced NDA governed betas awesome?

TheDude06

me too, let's all go the the OMGWTFBBQ

zed0

i agree with Substances_D. seriously... people do something for free as a nice gesture for the community and they get hate on? com'on.

pixelchild

@Substance_D:
if the only number in your contacts is your mom's, I can understand your reasonning.
Most of us, however have jobs & social lives and would really hate our bosses & friends to start wondering why they're suddenly getting spam sms & calls every 5 minutes.

Rustabout

Just to be clear, it wasn't found by Apple. I saw it mentioned a few days ago on Modmyiphone.com forums after the 2.0 jailbreak went live. If it had been "found by Apple", then the App wouldn't have made it on the App store.

That said, the general response there is pretty much the same as mine: Who cares? Sure, its bad security, but its not like its Credit Card numbers -- and its not as if anyone actually hacked the server (or their network with a packet sniffer), took the data, and started using it for telemarketing purposes.

So it's basically a "No harm" situation. We're just getting upset that they "took a risk" of "minorly inconveniencing us" and it didn't end up happening. In the grand scheme of things, this is a fairly small deal.

Faxmonkey

@darthsaber10: Not if Apple are making claims that Apps are vetted and safe.

Sure, the user should be savvy and aware...but they shouldn't expect or be on the look out for malicious apps from an official store. Apple makes money from sold apps, and the platform gains greater overall value from the huge amount of free apps.

tokiwartooth

App warp speed 9!

Wrap, rather.

tokiwartooth

The issue with blaming Apple is that it only supports the reason that they are closing off the platform. Right now contacts are able to be accessed and information sent, but instead of saying that it's great that at least something like this is allowed, although you can't see any good use for it right now, people are bitching that Apple allows it. Then you turn around and bitch that the platform is too closed off and doesn't allow for everything you want it to. You can't have it both ways.

Especially considering that this was not ill-intentioned, and more importantly that it was an opt-in feature, I don't see it as of big a deal. Apple likely removed it, not because they saw it as a big issue, but because they wanted to save face. That's what the whole developer program is about in the first place. They saw that too many people were jailbreaking their phones, so they dangled a very highly controlled developer program in the user's face, which to the majority of the public made them seem innovative, when in truth it was their way of controlling the situation that they really should have little part in.

If you download something to your phone, it's your responsibility to check it out. Don't rely on Apple to babysit for you. You have the assurance that something you download from the App Store is reasonably safe, but beyond that you need to grow up and take some responsibility.

darthsaber10

I hink this is foreshadowing a much bigger issue with the iPhone platform. As jmckee points out Apple are the guardians here.

This isn't about the platform being insecure - this is about any Joe with $99 and malicious intent creating an app that takes the awesome possibilities of the SDK / platform and turning them into tools that work against the user, or violating personal info. Warp it in an app with reasonable use and you're set.

The Macintosh OS and specifically OS X - while indeed secure - has enjoyed relative immunity from Malware because of the low install base. It's just not that attractive to try and exploit. iPhone is wildly popular - and worldwide, now - so the appeal in tapping it for nefarious purposes must be pretty high.

tokiwartooth

There is a simple solution to this and all other security problems: If an app asks to read the contacts list a box pops up warning the user. The user can then allow it, allow it always or deny the action.

This way the user knows exactly what the app is doing and has full control. Also the developer doesn't have to worry about situations such as this.

Apple could show dialogs for anything; contact access, sending text, allowing to go to background, changing settings etc. this would mean there was no reason to vet applications - let the user decide what they can do.

sparx104

@sparx104: I thought security popups were one of the main reasons that Vista was laughed at.
Now it's a solution for the iPhone?

Simple fact: Apple get cash from these apps and are hosting them so need to sort their shit out.

How long now till the first iPhone virus? (fingers crossed :)

reckless_inoz

I chose no on community play because of things like this...glad I was right.

Fluxcap

OK. I think I understand. So here's the reasons why it's apparently OK that they STOLE YOUR PRIVATE FUCKING CONTACT LIST:

1) They make a fun game, so who cares if they STOLE YOUR PRIVATE FUCKING CONTACT LIST?

2) they're cool, so it's OK they STOLE YOUR PRIVATE FUCKING CONTACT LIST.

3) it's nanny Apple's fault who, in this one single instance, should be more closed not more open, so a rogue developer can't STEAL YOUR PRIVATE FUCKING CONTACT LIST. (not that they're rogue or anything)

4) the developers didn't want to inconvenience users by making them type or something, so they STOLE THEIR PRIVATE FUCKING CONTACT LIST.

5) since the developers only had 10 weeks they had no choice but to STEAL YOUR PRIVATE FUCKING CONTACT LIST.

6) Since your gaming community is going to include every single person you know, why not just STEAL YOUR PRIVATE FUCKING CONTACT LIST?

7) the developers are new to computers, the internet, privacy, and Earthlings, and had no idea anyone would mind if they STOLE THEIR PRIVATE FUCKING CONTACT LIST.

Did I miss any reasons why it's OK they STOLE YOUR PRIVATE FUCKING CONTACT LIST?

Oh yeah.

8) Think of all the fun their summer intern is going to have searching their database for the privates on Steve Jobs, Buckethead, Brian Lam, and other known people whose numbers may not be in your iPhone, but may be in the PRIVATE FUCKING CONTACT LISTS THEY STOLE.

frigg

I can't wait till all the Fanbois who have an iPhone "because my friends have one and told me to get it" get stuck with viruses and spyware galore on their super capable mini computers.
"I bought Mac so that I didn't HAVE to think!"

-"Don't think, just buy!"
--Love, Steve Jobs

qbrad

Dang. I was just about to get the +12 Invisible Glove of Double Tap Spacebar for Period, too.

deadrobot

It's not the personal numbers I'd be concerned with. Great, so someone wants to spam that hookup from 8 months ago that never called again. Go for it. Hope ya have better luck than I did...
It's the corporate crisis bridges and operations #s and things in there.
We have come to enjoy a certain level of privacy from our cellphones, at least in that contact lists were more trouble to steal over the air than it was worth. A bot harvesting that data and compiling it somewhere is a huge security risk to a lot of companies.

s017jrs

I think this supports the idea of having an app store where beta software can be tested by users who are willing to assume some risk. Have a check box in your settings on the phone that says: "Use untested software from app store" or something, and have all apps get vetted by beta testers for a couple of weeks before they go live. Build in some sort of good feedback system and bob's your uncle.

It's simply ridiculous to assume that a few people at apple can find all the security holes in the dozens of apps that go live on any given day. You need _thousands_ of people to do that job.

OTOH, this did get caught and pulled from the store in 12 days so the system seeks to be working OK. I can imagine "other" companies that would take much longer to rectify this. And I also sympathize with the developers...seems like a relatively honest mistake that even a large software developer might make-let alone two guys writing code in their spare time-and they've been refreshingly forthright about it.

ppiddy

@frigg: First, stop pretended your contact list is of any desire to anyone; you don't know anyone we want to talk to anyways.

Furthermore, all the big social networking sites let you voluntarily (and I know Aurora Feint left that part out) give up your contact list to them and its stored on THEIR servers even after they find your friends. So to think that your info has never been given up to MySpace, Facebook or Linkedin just cause YOU didn't agree to a search is pretty naive since with all the members they have statistically speaking one of your friends/family, that has YOUR contact info, has submitted to the search. The exception to that is of course if you don't have any friends.

Searching someone's contact list is not new and not evil, most social programs do it. Stop demonizing these developers.

crpndeth

Ohhh come on - I really hope they put this game back up.

Augustum

Sorry, but this wasn't an almost amateur mistake...this was a very amateur mistake. Who in the world would knowingly send personal data unencrypted over the Internet? Even my parents know that, and they can barely turn the computer on. Yes, no malice was intended so they aren't just bad people; however, it's a very amateurish mistake that's going to be hard to work through in the future.

geowrian

Did anyone actually join the "community" and submit an email address?

hugedeal

@crpndeth: True enough. I'm Amish (Mennonite, actually), and most of my friends don't even have phones. I'm more concerned about John Mayer, who loves this game, and has the 411 on everyone from Bruce Wayne to the Pope.

frigg

I got the gamea nd really don't like it that much. Kinda boring.

Lupison

@darthsaber10: "If you download something to your phone, it's your responsibility to check it out. Don't rely on Apple to babysit for you. You have the assurance that something you download from the App Store is reasonably safe, but beyond that you need to grow up and take some responsibility."

I think you're asking too much of the general public. You can't expect users of a consumer device to scrutinize all the network activity for any application installed on the device. That's like doing all the medical research for a drug prescribed by your doctor.

joestoner

I think people are missing the real danger here. These guys just screwed up. The simple solution is take your contact's phone number, SHA1 hash it, and send the hash to the server's instead and match based on that.

The real problem is that 3rd parties can access your contacts and send them wherever they like without your knowledge. Take a malicious developer. He makes a game, copies whatever data you have he wants off your phone, ENCRYPTS IT, then sends it to his server and decrypts it to do whatever he wants.

Sure, he's was "safe" in transferring your data, but it won't be safe when he sells all your friends phone numbers to foreign SMS advertisers.

gbronzer

Never forget we talking about apple here
they left a big security breach in safari on the windows platform...

a site could run the code without letting you knowing it
Some/most Windows users are different then mac osx users
and Apple must know that by now
they even push a payware to windows users with an update for itunes

so never trust any company but check everything yourself

TBM-Fan

@frigg:

Except they didn't do that. They issue is not that they used your private contact list, that went without saying -- obviously they were going to use your contact list if you opted in, that was the whole point of the feature. Nobody's contact list was "stolen" -- if you opted-in, you gave them permission to use it.

The issue is that the app transmitted the contact list to a remote server sans-encryption -- thus taking the risk that SOMEONE ELSE might steal it.

Try to keep up.

Faxmonkey

So did Apple remove the app from everyone's iPhones and Touches remotely? Or just no new downloads?

dogcow

@Faxmonkey: One of the issues is encryption. But the other is permission which doesn't go without saying, hence "permission." As others have said, there was no explanation or confirmation before harvesting your privates.

I just checked their forum and their explanation has been updated. They now say personal data was never stored (although, frankly, I am confused since I thought it had to be stored in order to be used).

Oh well, good luck to those contact snarfing hobgoblins at AF, but maybe they should toss the community thing, ya know?

frigg

@joestoner: You don't look into the drugs prescribed by your doctor?

BTW, App is back up. That was fast.

darthsaber10

It blows my mind to see all of you just blowing this off. Faxmonkey, it looks like you understand the sensitivity about the lack of encryption, but from my experience with AF, I don't see anywhere in there that it asks you for permission to send your entire contact list to the AF servers. You're asked for your phone number and email address, with a Submit button. That's all I see.

For everyone who has expressed a "meh" attitude, YOU ARE THE REAL PROBLEM. YOU may not care if you compromise other people's info to identity thieves, but I'd damn sure bet your friends and colleagues might.

holy. effing. "me" generation. Yall're disgusting.

punkassjim

jeez, i just don't know. when i created trism (which also has online scoring), the FIRST thing i did was make sure it was secure. large or not, this is inexcusable...

demione

Any iPhone application reading your contact list should have to get explicit permission from you, regardless of whether it transmits the contact list in encrypted form or not.

mobashir

@Kaiser-Machead's Chips Ahoy!: Sizzler?

Captain Bringdown