iPhone insecurity
As I’m reading the news this morning watching the folks gather in line for the iPhone 3G (keep in mind the update is not due until 7/11…would you park for a week just to be one of the first???), I’m once again drawn to the marketing hype that is Apple, and Apple at it’s finest.
Back in June, 2007, Robert Vamosi wrote about the iPhone insecurity. It included, in part,
Which brings us to the iPhone. Again, no one outside of an elite few has actually held an iPhone, yet there's legitimate concern about its security. But Jobs has said that it will be a closed operating system, meaning you cannot write mobile applications for it--directly. The carrot Jobs extended to the WWDC crowd was not a software development kit (SDK) for writing applications (which the developers I spoke to all wanted), but a way to write applets within the Safari browser.
As we have seen, security researchers were able to find fault with Safari 3.0 within days of its beta. Malware today is almost always financially motivated. The crowd that stands in line on June 29 for the 6 p.m. release of the iPhone has at least $500 to spend, more with the two-year contract to AT&T. These early adopters are going to load their iPhone with important contacts--maybe even download songs and movies that have value as well. In the end, the typical iPhone user may have a target on his back.
Even before the Safari announcement, the underlying Mac OS remains vulnerable, although by locking outside vendors to writing code for the iPhone, the overall security risk could be lower than expected. Eric Chen, writing on Symantec's blog site, said back in January 2007 that the iPhone was prone to two types of vulnerability exposure. One, the Mac OS is based on Unix, and Unix has a number of well-known vulnerabilities that could also affect the Mac OS. While the incentive to exploit these exists today (to give Apple a black eye, not to mention wreak havoc on the Apple community), there's much greater financial incentive in waiting to go after the mobile version of Mac OS in July. Second, Chen worries about the rise of nonstandard software on the iPhone. I think that the latter is somewhat removed now that Safari will be the legit platform for ad hoc programmers.
Robert is back with another post, which again includes, in part,
A leading Mac OS X researcher says Apple has not kept the iPhone operating system up to date with patches it has issued for the desktop.
The iPhone runs a stripped-down version of Mac OS 10.5 and automatically checks for security updates. The last update for the phone, 1.1.4, was issued in February.
That means iPhone users are still vulnerable to a flaw discovered by Charlie Miller in March.
And concludes…
Meanwhile, ZDNet's Ryan Naraine points out that there's another upcoming iPhone exploit expected soon from Aviv Raff.
Speculation within the security community is that Apple is currently focused on the 3G version of the iPhone. Upgrades to current iPhones may be pushed out in advance or concurrent with the July 11 release of iPhone 2.0.
Apple does not respond to requests for comment on its software security policies.
You can draw your own conclusions. Keep in mind Apple and others also brags that the iPhone has reinvigorated browsing on the mobile phone. As I’ve mentioned before, the iPhone is the greatest thing to happen to the mobile phone market. Windows Mobile 6 and above however have now implemented Windows Update so that patches can be applied to the phone should vulnerabilities be found. In Apple’s mind, you should have to cradle your mobile device and use iTunes to potentially find your updates. Is that the right answer?