Filed under: Analysis / Opinion, iPod Family, Security, iPhone
Thoughts on iPhone Security
This morning I was having a light hearted conversation about all the iPhone features developers have been able to harness and add to their apps. The back and forth was telling. We can now use Google Maps to tell us where you are. We can use Core Telephony to send out SMS messages. We can read your contacts database and look through your phone history. We can grab your microphone and listen to what you're saying and use your camera to shoot pictures without you even knowing and...
Holy freaking cow.
And then I thought for a second and concluded: "...it's exactly like programming for a Mac".
Security concerns are not unique to the iPhone and its full featured capabilities are nothing new for computing. What makes the iPhone seem different is that it fits in your pocket. Mobile WinCE never did all this stuff.
So it's up to developers to program responsibly. Just like Macs. Just like Windows. Just like Linux.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
koko76 said 5:09PM on 2-11-2008
We're just discovering that there *might* be some security concerns with a device that fits in your pocket, has all your personal info on it, and can wirelessly communicate with anyone in the world, with the ability to charge you money for it? Abraca-duh.
Seriously, what is mysterious about this? It's a wonder to me that so many people decide to blindly hack and add whatever third party apps to their devices without taking the time to think what info they might be exposing and to whom.
Reply
starkruzr said 11:47PM on 2-11-2008
The benefits outweigh the risks for those of us who choose to do so.
That said, you have cited the reason I use mostly open-source software on my iPhone.
arf said 5:13PM on 2-11-2008
what?, and put us security guys out of work? naw, let history repeat itself.
Reply
boB Rudis said 5:16PM on 2-11-2008
Yeah. It's humorous that folks will expose then exploit security holes to "break" the iPhone to only then be concerned about the security implications of running third-party code on the device and secure development practices for the device.
I'll be glad when the SDK comes out, even if I have to pay to develop for the platform and pay for the apps. We stand at least a small chance of these hacks continuing to do a disservice to the Apple community.
Reply
punkassjim said 5:36PM on 2-11-2008
Good to know you (and your developer friends) are thinking about these issues, Erica, but I gotta say...writing a post like this, so far into the game, kinda leads me to believe that this is the first you're thinking of it. Which kinda makes me briefly consider turning in my Installer.app. It's just that scary.
Most of the desktop world seems to be perfectly happy saddling their computers with anti-virus and anti-spyware software...but I'd kinda like that to never be the case on the iPhone. I'll admit I love my jailbroken phone, but I'm dying for an Apple-branded security-signed app installation process.
Reply
Sabon said 5:39PM on 2-11-2008
This is only on iPhones that have been unlocked, right?
Reply
mentalsticks said 6:05PM on 2-11-2008
@sabon: There's nothing new, nothing different than yesterday. Every computer has security holes, so the iPhone does, too, but there's nothing acute going on whatsoever. It's just a brainwave kind of post.
potato said 5:54PM on 2-11-2008
Erica: How do you place calls and look through the address book from API? I can't class dump AddressBook.framework for some reason. Any pointers?
Reply
thethirdmoose said 6:30PM on 2-11-2008
0x3495AB9234
0x893FF32CD3
0xGD8B293823
Rob said 6:10PM on 2-11-2008
In my view, BOTH the iPhone and Mac OS X are INSECURE. The Safari web browser has so many holes, it looks like swiss cheese. One of the holes was so bad that you could jailbreak your iPhone just by visiting a web site. Think about it for a minute. Just by visiting a web site, someone could install software on your phone. (Since the security flaw affected the Mac, the same thing could happen if your surfed to a malicious web site. You could get infected with Spyware etc).
Yes, that flaw was patched in iPhone 1.1.3 but there are some new flaws that have NOT yet been patched in 1.1.3 (or the latest version of Tiger or Leopard).
One of the reasons that Macs and iPhones have not been infected with Spyware etc is there still is not that worthwhile for most spyware developers. There is more bang for the buck in developing spyware, trojans etc for Windows.
But I think that will change with the popularity of the iPhone and the increased market share for the Mac.
Remember, despite what Apple says, there is valuable info on your iPhone. Account Names and Passwords, Contact names and Emails etc. A spammer's dream.
Reply
airmanchairman said 6:29PM on 2-11-2008
Yeah, right, Mam'selle Sadun.
Lock the barn door after the horse has bolted...
Medicine after Death.
Etc.
Failing to plan in advance is no different from planning to fail in advance.
Reply
Lonewolf said 8:53PM on 2-11-2008
"Mobile WinCE never did all this stuff." What, precisely, are you contending that Windows Mobile doesn't do?
Web browser?
You can use the included Pocket IE, or your choice of at least 7 alternatives that you can install (legally, without any jailbreaking or warranty violations).
E-mail?
Yep, outlook's in there, and it supports POP and IMAP (works great w/ Gmail, and exactly the same protocol used by the iPhone "update"), as well as Exchange Server with Push delivery.
Address Book?
Contacts is there, and offers better integration with directory services than the iPoS.
Music and Video?
WMP is there, and there are 3rd-party alternatives (TCPMP, anyone?) that support additional CODECs. YouTube works, too.
SMS?
Yeah, been there, done that, but without the cheesy chat bubbles -- oh, and I can send MMS, not just SMS.
Google Maps?
All the Jan '08 features have been there for a while, but I can also use GPS to get actual location information.
Clock and Calendar?
Yep, there.
Stocks and Weather?
I don't have to hide the fact that I'm using a web service, but if I want to I can actually put the data, and not just the icon on my Today screen.
3rd-party Software? Self-Developed Software? Documented API?
Oh, wait, the iPhone still doesn't have a timeline for when this will be supported. But, I'm sure that crappy AJAX "apps" are good enough -- especially compared to things like my SSH client that supports tunnels, actual GPS Nav app, universal IM client, FTP client, and other network tools. Of course, I also have the ability to develop and install whatever I like.
Word editor, Excel editor, PDF viewer, and PPT viewer?
Let's see you do any of that on your iPhone. Out of the box on all Windows Mobile Devices (ok, PDF is oob on most).
Reply
starkruzr said 12:53AM on 2-12-2008
What ssh client are you using? This is a serious question. How much money did you pay for your IM client? This is also a serious question. There are *NO* free IM solutions for WinMo other than the craptacular UK PocketPC AIM from years ago.
There is also no ability on WinMo devices to port most commandline UNIX software, because more than 8 years into development there is still no console that actually works on WinMo. We have all of it on our iPhones.
Also, WinMo's performance is absolute garbage. And its UI is still designed for pens rather than fingers.
I wish all of this wasn't true, but it is, and that's sad.
mike c said 9:29PM on 2-11-2008
I wonder if that's why Flash wasn't on the iPhone in the first place?
Every once in a while I go to the web-based Flash Settings Manager and check to see if the settings hasn't been changed to allow a website to activate my camera and microphone.... or add a buncha stuff i.e. "memory usage allowed." In fact I just checked it and there are a ton of websites that have my settings stored on my computer (which I just deleted). Probably all harmless. Probably.
Reply
DWizzy said 9:30AM on 2-12-2008
How is this exactly 'new', or not possible with Windows Mobile? It has been done for years, even a 1998 Siemens phone could be hacked with a custom firmware that made it silently accept calls from a pre-configured number.
Reply