SECURITY: Newsweek - Spectre of the Great iPhone Epidemic

Discussion in 'iPhone' started by Cleverboy, Oct 21, 2007.

  1. Cleverboy macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #1
    READ MORE:
    http://www.newsweek.com/id/41992

    Is an epidemic coming to this self-described "always connected" device, with lots of processing muscle, and access to e-mail, text messaging, and Internet browsing? How hard will it hit when it arrives? Will legions of people refuse to upgrade when Apple releases the patch, because they're stuck to a specific unlock scheme, or afraid to lose installed apps not written by Apple?

    I don't buy the scenario Newseek suggests for a number of reasons, but I agree that cold-hard cash is a very appealing motive. There are a number of ways to manipulate that result however, provided the virus obtains the right information.

    ~ CB
     
  2. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #2
    Thanks for the story.

    Other phones have been "always connected" for years, have memory and cpu to spare.

    The main reason the iPhone is currently extra susceptible, is because its Safari browser continues to have security holes. Close them, and it'd be safe from at least the web vector of hidden code.

    I do think the iPhone (and Jobs' scary talk) has unfortunately raised the spectre of more phone viruses. It's a pity that it might be remembered for that in the future.
     
  3. Cleverboy thread starter macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #3
    Sure, but the Newsweek article specifically cites the WAY iPhone operates "more like a computer" along with its "always connected" status (which isn't new, but it is simply another piece to the "perfect storm" if you see the inference), along with processing power, root access and available system memory. John Gruber I think made a number of good points in post to his blog.
    From my understanding, most phones do NOT run under these conditions. As the Newsweek articles suggest, many of smartphones like Treos or Blackberries employ various security policies that the iPhone currently as a closed-platform, has not really begun to implement.

    I know there's a distinct want to poo-poo everything, but I don't think this all goes away by simply wanting it to.

    I love my iPhone. I just want a secure platform, and I really really don't want to hear the howling later, of a thousand people misled by snarky blogs and good intentioned rogues, who didn't see something preventable coming from a mile away.

    ~ CB
     
  4. calvy macrumors 65816

    Joined:
    Sep 17, 2007
    #4
    oh come on, I know I've heard abotu at least one Windows Mobile virus. I hardly even open safari on my iPhone, so hopefully that keeps me from most virus attempts that come along.
     
  5. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #5
    Well, it's true that Blackberries and Windows Mobile phones have several security tiers.

    Many are set to a middle tier, wherein third party apps can run but not access the dialer, etc, unless they have a certificate. Other phones (and a lot of users run "app unlockers" to make theirs this way) allow running any program after the user is first asked.

    I'm in the latter category. I app-unlock my WM phones, and only run third party apps that I've bought or that are well known. (And of course, my own apps that I write.)

    I never heard of a WM virus outside of labs. Years ago, there was a Nokia one that vaguely sent itself around via Bluetooth once the owner accepted and viewed an MMS, I believe. That's all it did, though.

    Again, mobile devices have a great way around problems, that desktops don't. You can much more easily wipe out and restore most handhelds. Got a problem? Zap the whole thing and reload.
     
  6. Cleverboy thread starter macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #6
    It's funny. There was a digg article the other day that posted a URL Google search result page, displaying numerous network connected printers who's owners didn't realize they were exposed. Diggers from all around started attempting to utilize the printers, one amusing message reading "Small Animal Stuck in Paper Tray". It's really funny, until such a security problem results in something less that funny.

    You don't necessarily need to enter Safari to cause a problem with arbitrary code execution. Did you notice the Bluetooth issue also fixed by the 1.1.1 update? Or, how about the Mail flaw?
    For example, everyone with an iPhone is likely familiar with the "linksys" default name being used on far too many wireless routers. Your phone sometimes sees the familiar name, and tries to auto-connect to it. In some cases, this attempted connection might simply bring up a login webpage instead of the page/URL being requested. That WiFi hot spot is however now serving up your Internet access and could potentially capture your mail server host name and pretend to accept your credentials while simply recording them. There were a number of WiFi related exploits that work off of this "masquerade" principle.

    Honestly, word to the wise.

    Mm. What happens if the problem persists through your User sync areas, and surreptitiously reapplies itself to your phone after a restore, without your knowledge? Food for thought anyway.

    ~ CB
     
  7. Cleverboy thread starter macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #7
    I get the impression that you're the one your family turns to when their computers go into meltdown. :) My caution, is that as is, the iPhone doesn't make those "security" distinctions yet. Until 1.1.1, even a webpage could trick you into dialing a wrong number without much effort.

    I'm looking forward to a certificate system on the iPhone like these others have. Sure, there may be app-unlockers for the iPhone too, but hopefully websites like Gizmodo or Engadget don't encourage people to utilize these as a routine "first step" in getting into 3rd party apps. Right now, "power user" behaviors are being described to those folks that aren't power users, and people are becoming dangerously blind to securing their personal information.

    As the platform matures, I don't believe anything occuring today will VANISH so much as it will evolve and be covered over by new ideas and things people will want to promote. The same wreckless abandon will still exist unless more people get on the same page about it.

    ~ CB
     

Share This Page