ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Mobile devices Toolkit

The pros and cons of iPhone security

Robert Vamosi CNET News.com

Published: 29 Jun 2007 14:23 BST

…attackers who are determined will overcome. I think that Apple has been very tight-lipped about the underlying processor that will be running on the iPhone. I suspect that we will find out on Friday. Before then we're just guessing.

I'm sure someone will open the iPhone up shortly after launch and report everything they find inside. Apple has already talked a little about updating the iPhone software or firmware. Everything from activation to updates is to be handled through iTunes, right?
The iPhone is likely to be connected to a PC quite frequently, and the update mechanism for other Apple devices that are connected to the PC, such as the iPod, is very robust and very user-friendly. If you want to update the program on your iPod, for example, if you connect it to your PC, it's just one click to update the firmware within the iTunes software. Some of that people take for granted in terms of its peers but it's really not that common to have a good update mechanism for a smartphone. And that's one of the biggest problems for a lot of the smartphones out there — there's no easy way to update. And, so, if you ask a lot of people with a smartphone when was the last time they patched their smartphone, most of them would look at you like you're crazy because very few of them have done it.

In many cases there is no over-the-air update mechanism, and also these phones are not connected to the PCs with the specific purpose of its own firmware updates. Some of the firmware updates (for smartphones) require you to back up all of your contacts and data on the device, wipe the entire device, and so on. All of these things contribute to updates for other smartphones being very infrequent.

Read this

iPhone: What you need to know

As Apple unveils the mobile to end all mobiles, ZDNet.co.uk looks at what all the fuss is about

If Apple makes updating the iPhone as easy as it has made updating some of the other devices (like the iPod), it'll have a leg up on other smartphones in terms of installing patches and keeping it up to date, even if security vulnerabilities are there. I think that's a positive as well. The only other smartphone that has that to any degree is the BlackBerry, where updates can push from the enterprise server, and be managed by corporate IT. But outside that most smartphones are very hard to update, and they require you to manually search for updates on your own and let you install them by yourself.

So the iPhone will be easy to keep patched, but it seems there's another exploitable weakness — the browser. Even if you have a fully patched browser, there are still ways for criminals to hijack the Ajax processes on Web 2.0-enabled sites, for example, and link iPhone users to malicious code. But that's assuming the Apple Safari browser is not itself vulnerable, right?
Yes. You're absolutely right. If you look at the history of browser security for the past year or two, it's been absolutely terrible. And that's because browsers are enormous and very complex applications. One of the things we do know about the iPhone is that the Safari browser will definitely be on it. And the only documented way for third parties to develop applications for the device will also be through Safari and through Ajax. So it's very likely that vulnerabilities that are found for Safari for Mac or Safari for Windows will also affect the iPhone.

I think that's just a small piece of the bigger potential security risk being that having an iPhone based on Mac OS X gives attackers the ability to go and analyse any shared application that might be on a Mac, and analyse it on a familiar platform that they understand very well, and then try and extend that knowledge or port it over to the iPhone. We're likely to see that there will be a parallel stream of updates for the Safari browser on both Mac and on the iPhone, and for other applications within OS X that run both on the Mac and on the iPhone. Even though it's a closed platform, it will have a certain degree of transparency because of the shared code base with other platforms.

I would also guess that less sophisticated attackers are likely to try and look at the applications on the Mac platform or the Safari browser on Windows and then simply try the exploits that they create against the iPhone and see if they work. We've already seen some public speculation that the Safari vulnerabilities will affect the iPhone prior to its release.