Lawsuit: iPhone app developer Storm8 stole phone numbers, user data

A federal lawsuit filed Wednesday claims that popular App Store app developer Storm8 may have bypassed safeguards in order to obtain data such as phone numbers via games downloaded over 20 million times.

World War, iMobsters, Racing Live, Vampires, Kingdoms, Zombies Live, Rockstars Live and Ninjas Live are some of the iPod Touch and iPhone titles listed on Storm8’s website. Court documents point to “secret code” written into games to circumvent protections preventing apps from collecting data on unsuspecting users:

“…Storm8 makes use of the ‘backdoor’ method to access, collect, and transmit the wireless phone numbers of the iPhones on which its games are installed,” states the complaint, which was filed in US District Court in Northern California. “Storm8 does so or has done so in all of its games.”

The Register points to a column written back in August about privacy concerns and the iPhone. The columnist highlights data-gathering in Storm8’s Vampires Live mini MMORPG:

One of the best selling iPhone app is Vampires Live, a very cool game which is a take off from the current pop culture fascination with vampires. The app is built by Storm8 and is the 8th best selling iPhone app.

The game is essentially an massive multi-player online game which will use your 3G or WiFi connection. 3G is your data plan. So far so good. While playing vampires is fun, it does not involve exchanging phone numbers with other players. In fact, no one needs your phone number to play with you.

But guess what?

Without your permission, Storm8 harvests both your UDID, phone number, email and name (on registration).

(Examples of code.)

As you can see, the personally identifiable information which is the PNUM is being transmitted and I guess stored with Storm8’s servers. For non-technical types, PNUM is phone number and I changed the telephone number on the log to hide my personal number. I would not want just anyone to have my personal phone number. Worst of all, the information is transmitted unencrypted in plain text.

Storm8 is claiming that the data collection was unintentional and part of a “”a bug that has been fixed.” But the prosecution is skeptical, saying the developers used “very specific and specialized software code to do so.” The claimant in the case is hoping to obtain class action status.

[Source: The Register]