Is Apple Blocking Jailbroken iPhones from the App Store?

The Redmond Pie website is reporting that Apple may be banning jailbroken iPhones from the App Store. Two people have reported that their iPhones have been banned for “security reasons”; they discovered this when trying to connect to the App Store.

According to the screenshots they have provided, the Apple ID itself is banned, which means that those users are most likely banned from accessing the App Store using iTunes as well. It’s not clear if their iTunes Store accounts are totally blocked, or if this just applies to iPhone app purchases.

Since these reports are merely anecdotal for now, we will have to wait and see if more users of jailbroken iPhones are blocked from the App Store before being able to confirm this. It is possible that these “security reasons” are related to other issues, such as a credit card fraud probe of the iTunes Store, or a similar issue regarding fraudulent gift cards, which has been circulating for some time.

We have discussed the risks of jailbreaking an iPhone many times, notably in our Year in Mac Security 2009 report. It seems that Apple, unable to prevent jailbreaking as such, is shutting a different door, which may make people think twice before jailbreaking their phones.

Should iPhone Users Worry About Rogue Apps?

What risk is there from “rogue” apps getting installed on iPhones? Swiss researcher Nicolas Seriot thinks it’s very serious, and he’s made a proof-of-concept app to show people. In a talk at this year’s Black Hat security conference, Seriot is discussing how apps on the iPhone can harvest data from a device. He says it’s easy for an application to retrieve the following data on an iPhone:

• Phone number
• Address book info
• File system information
• The 20 most recent Safari searches
• YouTube history
• E-mail account parameters (though not the password)
• The iPhone’s UUID
• The iPhone’s ICCID (it’s SIM card serial number)
• The iPhone’s IMSI (International Mobile Subscriber Identity)
• The keyboard cache (which contains words typed, used for auto-complete)
• Information about photos taken with the phone, such as date, time, and location

Okay, first a reality check: any application on an computer (Mac, Windows or Linux) has access to similar information (not phone numbers, of course, if the device is not a phone). The real problem here is not the access to information – because access to, say, your Address Book or iCal events, on Mac OS X, is a feature, not a bug – but whether than information can surreptitiously be obtained from your device and communicated to a third-party. We’re not saying this isn’t an issue; it’s just part of what happens when you install applications. You can never know exactly what those applications are doing.

Seriot has some valid points, but then he gets lost in speculation that is, well, a bit wild. For example, say someone creates an app to follow Hollywood gossip on the iPhone.

While giving clues about spotting stars, it surreptitiously goes through your address book and edits the email addresses.

Knowing that film industry people are likely to download this application, the emails they send are diverted to a clandestine server, providing potentially compromising private information to a prospective blackmailer.

Blackmailer? Seriously? Anyone who wants to blackmail people will have to do better than that. Seriot does not say that e-mails can be trapped by his “spyware”.

Or how about this one?

An application for Rolls Royce owners or art collectors could report the name, the area, the phone and the geotagged photos of wealthy people. This is enough informations to rob them, especially if it can be determined that the targeted individuals are currently away from home.

Sure, “Rolls Royce owners” are going to all run out and grab an app for their iPhones. To do what? Rolls Royce-spotting?

Or what about VIPs?

It is easy to imagine how an attack could be targeted against a particular individual. For example, French Prime Minister François Fillon is very proud of his iPhone and takes it everywhere. Fillon is a native of the French region called la Sarthe, where he also has his political roots. There is a significant likelihood that he would download an iPhone application designed to provide local breaking political news. It does not take much imagination to see the potential for damage in such a scenario.

I certainly hope that government officials follow a security policy and do not install third-party apps on their devices. Or if they do, they don’t use those devices for sensitive communication.

In short, there are real risks of data harvesting on any mobile device, and the iPhone in particular. However, these same risks exist on computers. Users install plenty of applications that could be stealing data and sending it to a remote server. Since most applications connect to the Internet, if only to check for updates, users can’t know which applications may be doing this and what they may be sending. Intego VirusBarrier X6 includes spyware protection for Mac OS X, offering granular settings per application and port, so users can find out which applications “phone home”. But this type of application is not available for the iPhone, because Apple does not allow third-party apps to run in the background. Perhaps that’s what’s needed to protect iPhone users from these “rogue” apps?

Apple Issues Security Update for iPhone OS

Apple has issue a security update for its iPhone OS, for both the iPhone and iPod touch, fixing five serious bugs in the way audio files and images are handled, in recovery mode, and in WebKit (the framework used for displaying HTML content). Several of these bugs could lead to arbitrary code execution, and the recovery mode bug could allow people with physical access to a locked iPhone to access its data.

Updates for the iPhone and iPod touch are available only through iTunes. More information about this update is available here.

Google’s Apple: For Isaac Newton, or a Prediction of Things to Come?

Google’s logo (above) is today celebrating the birth of Isaac Newton, born on this day in 1642. But could it also be a swipe at Apple? Google is scheduled to announce its new “Nexus One” telephone tomorrow, and the falling apple in this animated logo could symbolize what Google hopes will happen to its competitor from Cupertino.

In any case, the Google phone will be a serious contender for the growing smartphone market, and its immediate competition is the iPhone. We’ll see tomorrow what the Nexus One offers, and whether it will take a bite out of Apple’s market share.

iPhone Makes Headway in the Enterprise due to Security Improvements

When the iPhone was first released, businesses were hesitant to support the device because of many security weaknesses inherent in its operating system. But with improvements made in the latest version of the iPhone operating system, businesses are starting to adopt Apple’s phone. With a combination of support for Microsoft Exchange, and its security features, and the improved iPhone Configuration Utility, the iPhone has proven safe and secure. In addition, it is expected that additional security enhancements will be added in the near future.

One point that may make the iPhone inherently secure is the closed system: with Apple only allowing approved software to be installed (at least on phones that are not jailbroken), there is much less chance that rogue applications will be added to iPhones.

A NetworkWorld article suggests that two major changes will be made in the near future that will lead to reinforced security. The first is “support for over-the-air application downloads and firmware updates,” meaning that users won’t be able to make changes to their phones by connecting them to iTunes. Businesses will be able to fully control the applications installed on iPhones, as well as the device’s configurations. The second expected change is “to lock the iPhone’s boot loader to prevent the phone from being jailbroken.” While this is laudable, it’s highly unlikely that the developers who maintain jailbreaking software will not find a way around this.

One further suggestion is opening up the platform to security applications: Ken Dulaney, vice president of mobile computing for Gartner, “speculates that Apple may introduce a way for these vendors to exploit limited background processing (or multi-tasking) on the iPhone. That would let a security application connect with, monitor and control lower-level operating system and device functions.”

These changes and others will enhance the iPhone’s usage in business environments, but a lot of the above is just speculation. We’ll have to wait and see exactly what Apple dishes out in the near future. But it seems obvious that this is a lucrative market that Apple wants to crack.

More Information about the iBotnet Worm that Attacks iPhones

We reported yesterday about a worm that affects jailbroken iPhones, stealing personal data, directing users to phishing sites, and creating a botnet. Intego’s security specialists have analyzed the code of the iBotnet worm and have found striking similarities with the ikee worm, which we discussed on November 9. What this means is that the newer worm, iBotnet, has used some of the code that was published on-line after the ikee worm was discovered.

The creator of the ikee worm thought that his malware was a mere prank, and could alert iPhone users who jailbreak their phones to the security risks they run. However, his releasing the code publicly had the effect that we expected: malware writers – the malicious ones – took advantage of his work to create new, more dangerous malware.

At the risk of repeating ourselves, we’d like to reiterate what we said yesterday: users who jailbreak their iPhones are exposing themselves to known vulnerabilities that are being exploited by code that is circulating in the wild. If users install ssh, they should change the default password, which is widely known.

Apple agrees with us. In a statement published on The Loop, an Apple spokesperson said, “As we’ve said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably.”

Intego feels that we have not seen the end of malware attacking jailbroken iPhones. They’re an easy target, and effective code is widely available. So think very carefully before you jailbreak your iPhone, and take the necessary security precautions: change your root password!