Aurora Feint iPhone App Delisted For Lousy Security Practices

Illustration for article titled Aurora Feint iPhone App Delisted For Lousy Security Practices

Remember that Aurora Feint Puzzle/RPG game that we told you we liked? Turns out we don't like it anymore. In fact, we're actually pretty damn scared of this app, seeing as Apple de-listed them from the App Store due to privacy and security issues. To the developer's credit, they were forthright with what they did and didn't do.


According to their forums, if you opt-in to the community feature, Aurora Feint looks through your contact list, sends it unencrypted to their servers, and matches you up with your friends who are currently playing right now. Great feature, for sure, but that whole looking through our contact list and sending it in plain text to your server is cause for us to go OMGWTFBBQ.

When we discovered that the Apple SDK allowed us to look through your contact list we thought it would be a great idea to automatically show you which friends are playing the game. Why automatically? Well, everyone always complains about the keyboard on the iPhone and how annoying it is to type on it. So we thought, "Hey, why don't we make this feature REALLY easy to use – no typing!" And such, the community feature was born. Some people have said that it would have been ok if we had a better notice explaining what was going on. I agree! We weren't trying to be sneaky about how this worked. It was just overlooked. No one we showed it to even asked a question about it – nor did we. It just simply never came up as a potential issue when we beta tested the game with early users.

Upside is, if you didn't use the community feature, you're OK.

In the 1.0 version of the game we just didn't get around to doing everything we wanted to do in time for the launch: remember we tried to do a high quality game in 10 weeks flat. So, if you opt-in to the community feature, when you refresh your friends, the data is sent unencrypted to our web servers. Before you freak out though, let me explain why this was done. We just thought that it was a cool feature and that we'd implement security stuff if we became popular. To that end, the web server we launched with was a teeny box with almost no power. We spent the first few days scrambling to scale our servers. We really had no idea how popular we were going to be. We added this feature in near the end of our development cycle and simply decided that we didn't have enough time to spend to make it secure in advance of knowing if it was even going to be a hit.

Good intentions by slightly amateur programmers. It's alright. No malice intended. They're actually asking the community as to how they should proceed, and you should go tell them.

It's also a credit to Apple for finding out the mistake and shutting it down. Even though the line about having all apps be vetted through the store in the first place was to make sure all of them are safe, some stuff like this still slipped through because it's pretty much unfeasible to test each application to make sure they're not sending out your private data. Apps and app updates are already delayed for a week or more because Apple's checking them out. [Thanks mjborch1]



There is a simple solution to this and all other security problems: If an app asks to read the contacts list a box pops up warning the user. The user can then allow it, allow it always or deny the action.

This way the user knows exactly what the app is doing and has full control. Also the developer doesn't have to worry about situations such as this.

Apple could show dialogs for anything; contact access, sending text, allowing to go to background, changing settings etc. this would mean there was no reason to vet applications - let the user decide what they can do.