Newsmaker: The pros and cons of iPhone security

Few people standing in line to buy an iPhone Friday will be focusing on the security of Apple's new phone. But some influential security researchers already have given the matter lots of thought.

Take Neel Mehta, a security expert at IBM's Internet Security Systems, which typically focuses on perimeter security for large corporations.

Overall, Mehta thinks the iPhone's security will be better than other smart phones on the market, and he credits the lack of a software developer kit (SDK) from Apple as a definite positive. The absence of an SDK will make writing malware much more challenging, he said, and inexperienced criminals will be scared off. "It doesn't make it impossible," Mehta said, "just harder."

Mehta thinks the iPhone will attract a more sophisticated criminal who's attracted to the challenge of hacking a complex system. Also, with Symbian OS-enabled phones currently occupying 40 to 50 percent of the world market, most petty thieves will still be drawn to the lower-hanging fruit.

In advance of iPhone's release, CNET News.com spoke to Mehta about the pros and cons of iPhone security.

The iPhone is likely to be one of the most complex smart phones that we've seen to date. As such, it will be challenging to have to a completely secure code base.

Q: What is the biggest security threat to the iPhone?
Mehta: The number of eyes that will be drawn to the iPhone platform itself and all the applications that run on it, that's probably the biggest security risk for the iPhone itself in that it will be undergoing a tremendous amount of scrutiny, probably more so than any of these applications have seen before. In the end, we'll get a better understanding of how secure the entire code base is and how these applications withstand thousands of eyes looking at them.

Do you think some early adopters will be targeted by criminals online? Early iPhone users by definition are going to be wealthier than the average person. And for a criminal, there's bound to be payoff in stealing the personal data of someone like that.
Mehta: The people who are going to buy (the iPhone) are the people who have $500 to spend on a smart phone and are fairly technology savvy as well. Again, it's a phone and its also, from my understanding, being marketed in a consumer space, and has features that are much more attractive to consumers instead of businesses in terms of the ability to download and play media of all different types on it, and so on.

So businesses will likely have employees that use it, but in terms of sanctioned IT use within an enterprise environment it's probably not going to be that common. It's always possible that there will be attackers who will launch sophisticated attacks against someone with an iPhone, but there are a lot of other mobile devices that are much more common within an enterprise environment, such as the BlackBerry for example, that are more interesting targets--at least in the short term.

You mentioned that the iPhone's being marketed as a consumer phone. That means there will be a lot of media-rich applications preinstalled. How will that affect the overall security of the device?
Mehta: You can look at it as a portable computing device, more so than any other mobile phone, in its traditional sense, so it is going to have to understand many different types of multimedia formats. It will be able to play audio, video, pull that content off the wireless network, or off a PC that it's connected to. It will also understand e-mail. It will contain, possibly, a full-featured version of Mac OS X, and so the complexity of the device makes it more challenging to secure.

News.com Poll

Calling plan
Will you buy an iPhone?

Are you kidding? I'm in line now
The next time I'm at an Apple store
After I read the reviews - maybe
When someone other than AT&T is the carrier
Not till the price is under $200
No 3G? No way!
Never

View results

We're seeing this with all the different smart-phone platforms--as they become more complex, have more features built into them, they also have more opportunities for hackers to break into them. The iPhone is likely to be one of the most complex smart phones that we've seen to date. As such, it will be challenging to have a completely secure code base?And so we'll likely see the need for updates for the iPhone as flaws are discovered.

Speaking of flaws, there have been a few exploits developed recently for Mac OS X vulnerabilities. Mac OS X is based on Unix. Isn't it likely, with the increased interest in Mac OS, that someone will start porting over existing Unix exploits and trying them against the Mac?
Mehta: Mac is based off or derived from BSD Unix. The OS X that's running on iPhone will most likely be derived from the same original code base. But, the one thing that will probably be a huge factor in how easy it is to port exploits over is the processor that's in the phone. At the moment we don't know for sure what that processor will be. If it's an Intel-based processor, then it will be very similar to the current generation of Mac computers. There probably won't be that much difficulty for attackers to port exploits from existing Mac platforms over to the iPhone.

But if it turns out to be an ARM processor, for example, that's different. ARM has the biggest share of the processor market for mobile devices. That may be something a little bit new for the people who have been writing exploits for the Unix environment or for the Mac computing devices. If there's a change in processor architecture, it may take them a little bit of time. It's something that attackers who are determined will overcome. I think that Apple has been very tight-lipped about the underlying processor that will be running on the iPhone. I suspect that we will find out on Friday. Before then we're just guessing.

More Newsmakers

[ArturoYee]

Bit confused by the story - maybe I should consider the source

1. Is Mehta confused about BSD and OS X? They are not one of
the same! Wow - and he is an "expert"!
2. Exploits only because lack of SDK? Maybe it is just more fun
attacking DOS/WIndows because it is easier? More holes?
Attack the registry and cripple a machine?
3. iPhones not for business people, only for consumers?
Another Wow! If he was writing about computers in the 50's, he
will say that computers would be only for a few large insuarance
companies.

[Thomas, David]

Re:Not confused

I think he was as objective as he could be.

There are
a lot of questions concerning security, and he did point out
that:

• There isn't an SDK availabe so third
  party based client applications are not a factor. He pointed out
  this as barrier for exploiting an iPhone.
• Web browsers
  are historically, and by nature, impossible to completely secure
  because you don't have to hijack someones client to take
  advantage of them. You only have to hijack their thought
  process by providing fraudulent web
  information.

I believe that is the basis upon
which this article was written, and should be pointed out that
this is applicable to any device accessing the web.
Personally, I don't believe there is going to be a huge
problem. As Mehta pointed out, it will be extremely difficult to
actually corrupt the iPhone. In addition, he also pointed out the
ease in which maintaining the iPhone will actually attract secure
conscious minds.

[hellsyes]

Read before attacking

Maybe you should read something and fully understand it before you start attacking the author.

1. BSD and OSX are not the same. But, it is a fact that the Mach kernel that is in OSX was developed for BSD. Please research before dissing.

http://en.wikipedia.org/wiki/Mach_(kernel)

2. You have a good point. Lack of an SDK will only slow attackers down until they develop their own.

Sidenote: There was nothing mentioned in this article about windows except the fact that Safari runs on Windows now and the attacks developed to attack safari might affect safari on the iphone. Please stick to the topic. There is no reason to start another "mac vs. pc" flame war on CNET. There are already plenty of those.

3. He did not say that iPhones are ONLY for consumers. He said that it is being "marketed in a consumer space". From what I can tell, that is Apples approach as of now. That does not mean that business users can't or won't use it or that apple might not change their marketing strategy down the road.

4. (I know you didn't have a "4", but this is just my 2 cents) IT'S JUST A PHONE, RELAX! It kills me how people get all worked up about it. I have a macbook pro and I love it, but I am neither an apple fanboy or a windows fanboy or even a linux fanboy. I do hate windows, personally because it's not how I prefer it. But for some people, it is what they prefer and there is no reason to attack them for that.

[Ilgaz]

Remember PSP too (and iPhone is NOT a business device)

Sony PSP has one of the most expensive, legally binding SDK ever and it just took crackers like 3 months to release some trojan claiming to do things device can't (hear this Apple!)

PSP has a MIPS processor which is only known by elite of elitest game developers. It didn't stop anyone either.

How come the PSP was a juicy target for crackers/trojan coders? Sony locked down features which people KNEW that device is capable of. Trojans used these.

If people have to use a tiff exploit to install basic, innocent software (not piracy) to their device, some clever evil guys will also get interested in such backdoors too.

Sorry to say , iPhone has nothing to do in a real business environment unless it has at least Exchange (full!), Lotus Notes, VPN and VNC support. Watch how Symbian S60/S80 devices used in corporate environments.

[Byronic]

Tell the 'expert' that it's running ARM

This has been reported before. Next time CNET just wants to
get someone to 'diss' the iPhone (to secure their PC zealots and
fanboys) you might want to get someone to spew a little more
FUD.

Nice interview overall. See if you can get someone to spread
more FUD next time, this was almost objective.

Security has NOTHING to do with Marketshare. That is pure,
unadulterated FUD. There only needs to be an easy mark, such
as a windoze user.

[Ilgaz]

Intel XScale is a ARM chip, not x86 at all

Even if runs XScale variant of ARM from Intel, it has nothing to do with x86. XScale is a pure RISC CPU, it is open specification from ARM holdings just like Power from IBM alliance

[Ilgaz]

Other security organisations are afraid of Web 2.0 "apps"

Fortify Software, a very credible open source/Java security review company has recently posted something to their corporate blog about possible issues with iPhone and using Web as application platform.

". If the Web is the platform of the future, then cross-site scripting is the next buffer overflow. This is bad news."

http://extra.fortifysoftware.com/blog/2007/06/sorry_apple_wrong_answer.html

[zahadum]

this empty hand-waving is an embarrassment for ibm

wow.

usually ibm staff are knowledgeable, detailed & useful in their
comments.

this guy was basically saying: i dont know.

he made vague & inaccurate generalizations about the media
architecture; is unfamiliar with os'x driver architecture; didnt
even know about the process architecture; was confused about
the unix core of os/x (viz exploits in useland); and repeated the
obvious about ajax (but iphone ships with safari V2 not the V3
beta, which is the one with yet unfixed security holes).

the only useful comment he made was about (the virtue of)
firmware updates (and software patches) been automated via the
sync facility in itunes.

the next time cnet wants to interview someone about os/x
security, cnet should interview someone who actually knows
about os/x security.

DUH.

... but in a way this public embarrssment of an ibm staffer is a
good thing: now we will scrutinize more carefully the credentials
of anyone form ibm selected for publication ... clearly the vetting
function at cnet does not work - so it is good to know this in
advance!

[m.meister]

another speculative story

Hmm, what new fear factor can we drudge up?

The Q&A was lame. I don't recall stories on the pros and cons of
Windows Mobile security. Or of Palm OS security.

Is it possible that there will be issues, yes. It is also possible that
you could get hit by a bus while crossing the street. Now is it an
issue that's worth writing about at this point in time (when you
know nothing about the specific aspects of the issue you're
discussing)? Simple: NO!

This is pure FUD.

[Llib Setag]

MS Exchange works with iPhone via ICEWEB

MACNN :

IceWEB today announced that its hosted Microsoft Exchange subscription service now supports Apple's iPhone, enabling corporate customers to access company Exchange email systems via their new Apple-branded cellular handsets. IceWEB has worked for months to position its IceMAIL service to fully support the iPhone, which should ease the fears of potential business customers who were rumored to shun Apple's handset due to a lack of interoperability with existing corporate mail systems. IceMAIL enables small and medium business customers to continue receiving hosted Microsoft Exchange email on most smartphones and eases the process of iPhone adoption for businesses fearing complications with the new device. IceMAIL is available from $8.50 per month.

[Llib Setag]

MS Exchange & Activesync for iPhone

MACWORLD 07.09.2007

IceWeb is offering users a 30-day free trial of IceMail for iPhone. IceMail is a hosted Microsoft Exchange e-mail subscription service.

IceWeb chairman and CEO John R Signorello said that his company?s efforts have been made to make sure that iPhone users have access to an Exchange-based e-mail system even without requiring any infrastructure changes to a corporate IT environment.

?There has been much press regarding how the iPhone might be ?shunned? by enterprise email users because of the lack of perceived compatibilities with Microsoft Exchange implementations. We?re working to ensure this will not be the case,? he said.

There have been rumors that Apple will offer some sort of Activesync connectivity for the iPhone ? Activesync is the push synchronization technology from Microsoft that allows e-mail, contact and calendar sync with Exchange. If this ultimate proves correct, IceWeb plans to offer that capability to iPhone users as well, included with the IceMail subscription.

IceMail service starts at $8.50 per month.