back to article Apple pulls app after dev publishes users' PINs

Is your phone PIN '1234'? If you're an iPhone owner, there's a good chance that it is. In fact, there's a good chance it's your PIN whatever handset you use. iOS software developer Daniel Amitay, creator of an app called Big Brother Camera Security, added iPhone-style four-digit passcode access to his program. He was staggered …

COMMENTS

This topic is closed for new posts.
  1. Giddy Kipper
    Facepalm

    5863 ...

    Does not spell 'love'. 'June' perhaps. Methinks you ment 5683.

  2. Anonymous Coward
    FAIL

    Never pick a passcode...

    ... Always generate a random one, anything your own head has chosen is vulnerable to being guessed by anyone who knows how your head works...

    1. Tom 13

      I've generated most of my passcodes

      So far none of my friends have guessed any of them. If my friends don't know how my head works, most other folk won't either.

      Hell, I've FORGOTTEN passcodes that I haven't used for a while even when I thought I remembered how I generated them.

    2. AndrueC Silver badge
      Happy

      Hmmm

      How about 'Grunt1nGB01dS'?

      I suppose what your'e saying is right but if you can understand me enough to predict that I might use that password then you're a genius. Warped as well if you can think like me.

      P.S.Oh and you're wrong anyway. I 'generated' that one just as an example of the kind of passwords I use :)

      P.P.S.I use symbols as well in the more important passwords.

  3. Lon Bailey
    Coffee/keyboard

    PINs

    maybe use 4 digits from your mobile phone number instead?

  4. Whitter
    Paris Hilton

    I think I changed it...

    But to what, I have no idea.

    Any very infrequenctly used password/number is effectively forgotton in most "secure" systems, (including phone banking for example), so unless you have a screen lock-out on the same PIN, or have managed to recall what scrap of paper it was written on and where said bit of paper can be found and didn't clear it out at some point in the last few years, this might be your chance to get back in...!

  5. Shaun 1
    Stop

    5863

    "At sixth place is '5863' - an odd number until you realise it can be entered by tapping out the word 'love' on a mobile phone keypad"

    I think you mean 5683. 5863 spells 'June'

  6. Valerion
    Alien

    Amazing!

    I have the same combination on my luggage!

    We need a Spaceballs icon.

  7. Tsung
    Stop

    Same Pin?

    We are assuming that users are using the same pin for the app that they use to unlock the phone. If I was installing a 3rd party app and it wanted a PIN I would NOT use my phone pin number (or bank pin number) but would make another one up. There is a good chance the I'd use 1234, if I was just trying the app out, or didn't consider the security that important.

    I feel the logic in this article is flawed.

    1. Old Handle

      That was my first thought

      I admit I don't completely understand what the app does, so maybe there's a really good reason for it to ask for a passcode, but if not, I would certainly use a bogus, super-easy passcode for something like this.

    2. Marvin the Martian

      I'm with you on layered passwords.

      Just like 9-level authorisation for government secrets, you can do the same with pins:

      Having a non-smartphone, anyone I'd let use my bicycle I'd let use my phone --- so they have the same 4-digit keys. Same for a raft of other not-very-exploitable, physical-access devices.

      All laptops and desktops share another passwords, as they all have access to a similar collection of browser-saved passwords. All "opinion" sites, ElReg/Beeb/cavia-breeding-forum/..., share another.

      Just like keying your front and back doors to the same --- less keys to duplicate or get lost, and equally important access points.

  8. Richard 31
    Paris Hilton

    Shrug

    Personally i only use the pin code on my phone to prevent pocket-dialing and the like. I am sure any hacker who wanted in to my phone and had stolen it could do so.

    Perhaps others do the same?

    Don't use one of those codes though.

    1. AndrueC Silver badge
      Pirate

      Risky strategy these days

      That was fine until recently but my phone can also read and send emails from my personal account. I'd rather that didn't fall into 'enemy hands'. Be careful out there :)

  9. banjomike
    FAIL

    Amity says the iTunes EULA is on his side...

    er, no. The iTunes EULA is on the side of APPLE. Surely that is obvious by now.

    Having said that, he deserves to be dumped from the App Store.

  10. Haku
    Facepalm

    Have people learned nothing from Spaceballs?

    Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kinda thing an idiot would have on his luggage!

    Skroob (walking in): What's the combination?

    Colonel Sandurz: One, two, three, four, five.

    Skroob: One, two, three, four, five? That's amazing! I've got the same combination on my luggage!

  11. a53

    Phone Pins

    Wouldn't dream of making such a mistake. I arrived at mine by, or maybe I shouldn't say.

  12. P Zero
    FAIL

    What?

    I thought the world agreed that security via obscurity was silly? Certainly made me think about my 4-digit codes.

  13. yoinkster
    Thumb Up

    Awesome,

    Glad to see my choice of PINs didn't make the list. I feel clever for once!

    *insert witty reference to spaceballs luggage code scene*

  14. Badvok
    Happy

    I 5683 that 4283 isn't high in the list.

    Hippy goodness to all.

  15. AndrueC Silver badge
    Childcatcher

    Maybe not so odd

    >That last number is interesting: Amitay also found that years, from the 1990s and 2000s in particular, make very commonly used PINs.

    Would I be right in thinking that the majority of iPhone owners are in their 20s or early teens? It' a bit of stretch as far as the 2000s are concerned but otherwise it makes me think of birth years :)

    1. Shaun 1

      Title

      Maybe the year they got their first phone and have been using it on all of them since.

      Or maybe first bank card etc

  16. bleh_meh
    Coat

    damn....

    now I have to change the number on my luggage!

  17. Andy Barker

    What is the PIN used for?

    I would think that a lot of people use the PIN purely to reduce the chances of accidentally dialling someone (or doing some other such thing). If so, then 0000, 1234, etc. is fine.

  18. Steve Ives
    Stop

    the EULA states...

    "...Application Provider may collect and use technical data and related information, including but not limited to technical information about Your device, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to You (if any) related to the Licensed Application"

    I don't think his use is covered by this.

  19. James Hughes 1

    Might be a bit naughty

    But it's interesting 'research' nevertheless.

    I once had a new cash point card, and when I received the pin, it was 1234. Not my choice, just randomly issued. Can't remember if I ever changed it...not got the card now in case anyone was thinking of mugging me.

  20. Steve Oliver 1

    12345?

    That's amazing! I've got the same combination on my luggage!

  21. Anonymous Coward
    FAIL

    pin stupidity

    My bank won';t let me choose e.g. 4664 as a pin because it's 'not random enough'.

    My card got nicked, so I ordered a new one, this comes with a bank-chosen pin to start off. good idea, the old one might be compromised.

    New one came set to 7777

    1. Tom 13

      That MIGHT be

      a completely randomly generated number. But the odds are about 984 to 1 against.

      1. DJ 2
        WTF?

        Not really.

        My wife and I had separate cards from the same bank issued, individual accounts, that had the same pin number. After a little bit of persuasion, they issued us with two new cards with two new pins.

        Obviously not that random.

        1. Chris 3

          Err, how do you know you had the same PINs

          Not something you should divulge to anyone?

  22. morphoyle

    approval

    I don't understand. I thought the approval process was in place to protect users from stuff like this? I guess the approval process isn't as useful as Apple had be believe.

    1. Paul Bruneau

      Nice try troll

      I don't think the review process could have pre-determined that the developer would publish commonly-used PINs. But keep on hating.

      1. heyrick Silver badge
        Happy

        @ Paul Bruneau

        ...except for the fact that if this was an Android app, all the Apple guys would be saying that this sort of nonsense is exactly what the AppStore walled garden is designed to prevent.

        Just admit it. You guys got pwned for a change. Next week, it'll be us. ;-)

        1. Paul Bruneau

          Hey, Rick-

          No, I don't think I can admit this one.

          If an app had gotten into the store and had started sending expensive text messages out without your permission (like happens in the Android store), then I'd agree with you.

          Or if someone had a malware app that exposed the actual iPhone passcodes of his users (which he cannot do, thanks Apple), I would also agree with you.

          But just because some idiot developer posted a list of passcodes that his users chose to use *in his app*, that is no sign of Apple's review system failing.

      2. CarlC
        Meh

        Hmmmm

        I also thought the Apple process would have been able to find code that sent data off the device especially something like a pin code, even if it is only used by the app. I thought that was the point of the App approval process and the walled garden. Guess I will stick to my Android, at least I know it is insecure and I don't have a false sense of security.

  23. Alan Birtles

    Alternatively...

    People (quite rightly it turns out) didn't trust the app with an important pin code so used an easy to remember but insecure code instead. On the other hand many people are probably using the came code for their bank cards

  24. Geoff Campbell Silver badge
    Boffin

    Nah

    "Amitay reasoned that punters will generally use the same code for his app as they will for their iPhone's main PIN lock"

    Amitay reasoned wrongly. I can only speak from a sample of one, but when some two-bit phone app asks me for a PIN, I will almost certainly use something trivially memorable like 1234 precisely to avoid given my main security PIN away to a third party.

    Security levels of passwords and PINs isprecisely related to the importance of the application, and I think most people probably think the same.

    GJC

    1. Anonymous Coward
      Pint

      So if the reasoning for the connection between PINS is wrong,

      and the user ID is not being published with the PIN, why pull the app? It's not like he trojaned them for a credit card info. And you can't argue both sides on this one.

  25. b-a-r-k-i-n-g-m-a-d
    Meh

    Is anyone actually surprised?

    Is anyone actually surprised?

    It's the same as all the people who use 'password' or 'letmein' or 'qwerty' etc. as their passwords.

  26. Ramazan
    Headmaster

    10 most comon PINs

    but there are only 3 attempts before smartcard gets locked / data are wiped. So what's the point? BTW, El Reg has omitted the "out of 204,508 recorded passcodes" phrase from its article, making calculation of expected break-in success ratio for a particalar strategy impossible. The best strategy yields only about 9.23% chance of success.

  27. Lance 3

    Approved

    So the app was approved by Apple and just now has been yanked?

    According to Apple:

    "The things the reviewers check for when apps are submitted: buggy software, apps that crash too much, use of unauthorized APIs (Google, apparently, excepted), privacy violation, inappropriate content for children, and anything that "degrades the core experience of the iPhone.""

    So what Apple says they do is not actually what they do. All smoke and mirrors from Apple.

  28. Mark Simon

    Worth a try ...

    If you find a pin locked phone lying around and want to break in, arguing the merits of whether the pin is a dummy, randomly generated or the same as something else is pointless. Here is a list of 10 suggestions which will quite possibly get you in. And not knowing the owner personally, you don’t offend anybody by assuming that the owner is an idiot.

  29. Anonymous Coward
    Boffin

    The real issue is the low digit count

    People can remember telephone numbers, or at least they used to. The real issue with PIN numbers is the 4 digits is way too few to any PIN to be secure.

  30. M Gale

    My unlock code is...

    ...a squiggly line. Gesture unlock for the win, just so long as you remember to clean the screen every now and then!

This topic is closed for new posts.

Other stories you might like