Great app idea, the client side looks very nice, and I'd love to have all my users buy copies... except that the server side of this app is a security disaster.

The server side of this app is implemented as a PHP script (strike 1) that unlinks files based on input from the web (strike 2), hand-crafts XML responses, and makes it easy for an attacker to brute-force his way into your voice mailboxes by not even letting you protect it with HTTP basic authentication (strike 3).

Some of this risk is mitigated if you require your users to connect via VPN, but VPN is not a silver bullet.

I haven't yet downloaded it, but in most of the examples they're referring to the Asterisk server as 192.x.x.x, so I think they're expecting it to be run on a local lan (or at least a VPN).

You'd think though that it wouldn't be too hard to change the server side additions as presumably they're not restricted by needing to go through the Apple store. I.E. the author should be able to make changes to that code as often as necessary.

Go through to their website and send them an email, really shouldn't be too hard to sanitize input, and bring in some authentication for the tasks required.

The server side script for the iPhone application in question is seriously flawed.

If you want to compromise your server, this is a good way to do it: (copy&paste from the php script)

$cmd = "cat ".$ASTERISK_VOICEMAIL_CONF." | grep ".$p_mailbox;
$last_line = exec($cmd, $retvalue);

And VPN isn't meant to be a replacement of security measures.

I agree VPN isn't meant to be a replacement, but at least then you have known access. I totally agree you're better off sorting out the issues :)

But recoding PHP to whitelist input is pretty simple.

I put in a criticism to the app developer outlining my points above. This morning I got a response from Adam Fletcher. He took the criticism well and responded that he "submitted a new version last night to Apple that does away with the script. Without going into detail, it basically logs you into the Asterisk Recording Interface via the web and functions in the exact same manner other than it does not use my script."

I haven't used ARI and can't comment on its security, but it sounds like an improvement.

Cool, that's good to hear - most developers are pretty keen to produce the best software they can - if you talk to them about a flaw they tend to fix it :)

Hi,

Just thought I'd post something else I noticed, a visual VM for Asterisk hosted on GoogleCode:

http://code.google.com/p/asterisk-voicemail-for-iphone/

Hey guys just to let you know I did fix it:) The program has been very solid for me and yes it does work over 3g and not just over your LAN! I built this program more as a learning tool to get a little more familiar with Asterisk and how to interface it. It is dependent on your system having the Asterisk Recording Interface installed, which is how it access your voicemail files. I am always insterested in learning more so if anyone has any questions, tips, or recommendations please feel free to contact me on my website.