Couple of days ago, a story related to an iPhone App developed in Switzerland made quite some buzz on the net as some websites concluded that it was a security breach in Apple's iPhone OS. Indeed, same sites claimed that developers could obtained the telephone number of customers downloading and making use of their application, creating a potential conflict regarding personal data storage and handling. Those personal details to be recovered are known as MSISDN. We then asked to mobile phone carriers if such data could be effectively retrieved, and hereafter is a summary of what we learned:
In France, this is even a service available from the three main carriers, and developers or third-parties offering a service (on demand or SMS, etc...) can purchase this program. However, if carriers can obtained all MSISDN details, each customer is tagged with a unique ID, and this is IS that is provided to developers or third-parties. In other words, they can generate bills linked to the use of online service to those customers thank to the list generated by carriers, but they can NOT obtain details regarding customer's telephone numbers etc.
This authentication process is provided by most carriers is only available via mobile phone network and not via Wi-Fi as this mean is not consider secure enough to identify without any doubt a client.
So, except if Swiss carriers apply different business model than in France (we doubt they do), then this famous function available in the iPhone OS since one year is far from breaching any security level and does not seem to be able to compromise personal data of customers as one would need to have both the IS list and the corresponding customer.
Last but not least, one of the contacted carrier made this interesting comment:
From the early days, all application for Windows Mobile and Symbian, and even Java, were designed to get access to some of customer's data and nobody was complaining; but if the same function is available in a mobile phone/Os designed by Apple, then everybody is complaining...
So, in summary, its seems that while this function exists on iPhone OS for about one year and for several years on other Mobile Phone OS, it does not really directly expose customer details to developers or third-parties, as carriers are the only one able to assign ID with real customer names.
