NEWS FROM THE LAB - Tuesday, November 16, 2010

Spoof Your Caller ID With an iPhone Web App Posted by Sean @ 17:48 GMT

For those of you that think every iPhone application must be approved by Apple's App Store guardians… think again.

Here's an application called SpoofCard:


SpoofCard allows smartphone users to spoof their caller ID. This is not exactly new. There was a bit of press coverage one year ago.

But what's now interesting to us is the variety of supported platforms: Android, BlackBerry, Palm, Windows Mobile and… iPhone.

Only, you won't find SpoofCard anywhere on Apple's website.

It's a Web App. All you need to do to "install" it is to visit ispoofcard.com with your iPhone's Safari browser.


SpoofCard's site will prompt you to save an icon to your iPhone's desktop.

At which point, for most, it appears to be just another installed application.

SpoofCard Web App

The iSpoofCard Web App calls a service which then facilities the actual spoofing, and the App does prompt for the user's permission before it calls. It's well behaved in that sense.

But we're curious, could social engineering be used to dupe people into giving permissions to an overtly malicious Web App? Can Web Apps access the iPhone contacts if given permission? Can Web Apps send SMS messages? Web Apps can make phone calls… how much social engineering do you think is required to get somebody to make a premium rate call?

But then… Web Apps aren't anywhere as popular as App Store applications. Even if Web Apps can be abused, they aren't likely to be, because iPhone users don't really use them.

And so we suppose in the end, this is yet another case of Apple's standard security through obscurity.