Will the iPhone be Hacker’s Delight?

There have been several security issues with the iPhone, in its short life, from this weakness which appeared shortly after its release, to this, this, and this security update for the device. In addition, there has been a lot of talk about how it could be attacked by hackers.

In a vague press release from a security analyst hoping to make a name for itself, suggestions are made that the “iPhone will become the victim of a serious attack in 2008.” This analyst suggests that “These assaults are likely to be in the form of drive by attacks – malware embedded into seemingly harmless information, images or other media that actually perform dangerous actions when rendered on the iPhone’s Web browser.”

Well, that’s like saying it will rain sometime next month, but we don’t know when or how much. However, one comment does make sense: “hackers will be enticed by the possibility of attacking Apple users and the opportunity to “be the first” to hack a new platform.” The iPhone is high-profile, it’s always on, and it has Internet access, all factors that could lead to attacks. In addition, phone users generally don’t worry about security - they don’t have firewalls or antivirus software installed, and in the case of the iPhone, there are no possibilities to install this sort of software.

Intego believes that there will be threats to the iPhone, and given the kinds of flaws that have affected Apple software recently (the RSPlug Trojan Horse and the QuickTime streaming flaw), it’s not clear which type of malware will be most effective, or most virulent. It is worth noting that there are ways of hijacking phones to make money - having them call expensive numbers that are not included in phone plans, for example; something that is harder to do on computers.

Intego is monitoring security issues on the iPhone, and will provide information whenever any threats appear that affect this device.

Security Update for iPhone and iPod touch

Apple today released a security update for the iPhone and the iPod touch. Numbered 1.1.2 for both devices, this update protects against the poetic “maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution.”

Since you can only update the iPhone and iPod touch from iTunes, and since iTunes only checks for updates weekly, you should connect your device and click the Check Now button on the device’s settings screen. This will tell iTunes to check for an update right away so you can be safe.

Software Development Kit for the iPhone (and iPod touch)

Apple, on its Hot News page on October 19, announced that they will be providing a software development kit (SDK) for the iPhone, as well as for the iPod touch. We noticed that Apple highlighted the following in their announcement:

“It will take until February to release an SDK because we’re trying to do two diametrically opposed things at once—provide an advanced and open platform to developers while at the same time protect iPhone users from viruses, malware, privacy attacks, etc. This is no easy task. Some claim that viruses and malware are not a problem on mobile phones—this is simply not true. There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous. And since the iPhone is the most advanced phone ever, it will be a highly visible target.”

Naturally, Intego will be following these developments very closely, to help ensure that the iPhone remains safe and secure.

Note: Daring Fireball has an excellent analysis of the questions and issues relative to this announcement.

iPhone Update Doles Out Ten Security Fixes

Apple has released the iPhone 1.1.1 update, which contains, in addition to bug fixes and improvements for the phone itself, ten security fixes. This update corrects vulnerabilities in the phone’s Bluetooth software, its Mail software, and a vulnerability that could cause you to unwittingly dial numbers that arrive in your e-mail or that are displayed on web pages with “tel:” phone number links. Other fixes patch weaknesses in Safari and JavaScript. Make sure to update your iPhone immediately, using iTunes - if you’re a Mac user, iPhone updates don’t appear in the Software Update preference pane.

Note that reports say that some “unlocked” phones - those iPhones that have been hacked to work with carriers other than AT&T - do not work after the update. If you’ve hacked your iPhone in this manner, use at your own risk.

You can get more information and details about all the security fixes on this Apple web page.

Is Your iPhone Safe?

With the iPhone just a few weeks old, the first security issue has appeared. It’s not a virus, a worm, or a Trojan horse, but a weakness in the iPhone’s Web dialing feature. As Macworld reports, this feature can be exploited, causing iPhone users to unknowingly dial expensive phone numbers (such as 900 numbers) or continuously dial certain numbers. While you’d have to visit a malicious web site for this to occur, it’s best to turn off this feature, since you could land on a malicious web site without knowing. Just dial your numbers manually. After all, that’s easy enough to do with just a few taps.