Get Smart about Business Spending
- Related Stories
-
Apple basks in iPhone buzz
June 25, 2007 -
ARM says it's ready for the iPhone
June 22, 2007 -
Google boss shows off iPhone
June 21, 2007 -
The great iPhone hunt of 2007
June 12, 2007 -
Apple opens iPhone to developers--kind of
June 12, 2007 - Related Blogs
-
Apple stores hosting 'iPhone World Premiere' Friday night
June 26, 2007 -
Pricing for iPhone service released
June 26, 2007
(continued from previous page)
I'm sure someone will open the iPhone up shortly after launch and report everything they find inside. Apple has already talked a little about updating the iPhone software or firmware. Everything from activation to updates is to be handled through iTunes, right?
Mehta: The iPhone will likely be connected to a PC quite frequently, and the update mechanism for other Apple devices that are connected to the PC, such as the iPod, is very robust and very user-friendly. If you want to update the program on your iPod, for example, if you connect it to your PC, it's just one click to update the firmware within the iTunes software. Some of that people take for granted in terms of its peers but it's really not that common to have a good update mechanism for a smart phone. And that's one of the biggest problems for a lot of the smart phones out there--there's no easy way to update. And, so, if you ask a lot of people with a smart phones when was the last time they patched their smart phone, most of them would look at you like you're crazy because very few of them have done it.
In many cases there is no over-the-air update mechanism, and also these phones are not connected to the PCs with the specific purpose of its own firmware updates. Some of the firmware updates (for smart phones) require you to back up all of your contacts and data on the device, wipe the entire device, and so on. All of these things contribute to updates for other smart phones being very infrequent.
If Apple makes updating the iPhone as easy as it has made updating some of the other devices (like the iPod), it'll have a leg up on other smart phones in terms of installing patches and keeping it up to date, even if security vulnerabilities are there. I think that's a positive as well. The only other smart phone that has that to any degree is the BlackBerry, platform where updates can push from the enterprise server, and be managed by corporate IT. But outside of that most smart phones are very hard to update, and they require you to manually search for updates on your own and let you install them by yourself.
So the iPhone will be easy to keep patched, but it seems there's another exploitable weakness--the browser. Even if you have a fully patched browser, there are still ways for criminals to hijack the Ajax processes on Web 2.0-enabled sites, for example, and link iPhone users to malicious code. But that's assuming the Apple Safari browser is not itself vulnerable, right?
Mehta: Yes. You're absolutely right. If you look at the history of browser security for the last year or two, it's been absolutely terrible. And that's because browsers are enormous and very complex applications. One of the things we do know about the iPhone is that the Safari browser will definitely be on it. And the only documented way for third parties to develop applications for the device will also be through Safari and through Ajax. So it's very likely that vulnerabilities that are found for Safari for Mac or Safari for Windows will also affect the iPhone.
I think that's just a small piece of the bigger potential security risk being that having an iPhone based on Mac OS X gives attackers the ability to go and analyze any shared application that might be on a Mac, and analyze it on a familiar platform that they understand very well, and then try and extend that knowledge or port it over to the iPhone. We'll likely see that there will be a parallel stream of updates for the Safari browser on both Mac and on the iPhone, and for other applications within OS X that run both on the Mac and on the iPhone. Even though it's a closed platform, it will have a certain degree of transparency because of the shared code base with other platforms.
I would also guess that less sophisticated attackers will likely try and look at the applications on the Mac platform or the Safari browser on Windows and then simply try the exploits that they create against the iPhone and see if they work. We've already seen some public speculation that the Safari vulnerabilities will affect the iPhone prior to its release.
See more CNET content tagged:
Neel Mehta, Apple iPhone, criminal, smart phone, security
the same! Wow - and he is an "expert"!
2. Exploits only because lack of SDK? Maybe it is just more fun
attacking DOS/WIndows because it is easier? More holes?
Attack the registry and cripple a machine?
3. iPhones not for business people, only for consumers?
Another Wow! If he was writing about computers in the 50's, he
will say that computers would be only for a few large insuarance
companies.
There are
a lot of questions concerning security, and he did point out
that:
party based client applications are not a factor. He pointed out
this as barrier for exploiting an iPhone.
are historically, and by nature, impossible to completely secure
because you don't have to hijack someones client to take
advantage of them. You only have to hijack their thought
process by providing fraudulent web
information.
I believe that is the basis upon
which this article was written, and should be pointed out that
this is applicable to any device accessing the web.
Personally, I don't believe there is going to be a huge
problem. As Mehta pointed out, it will be extremely difficult to
actually corrupt the iPhone. In addition, he also pointed out the
ease in which maintaining the iPhone will actually attract secure
conscious minds.
1. BSD and OSX are not the same. But, it is a fact that the Mach kernel that is in OSX was developed for BSD. Please research before dissing.
http://en.wikipedia.org/wiki/Mach_(kernel)
2. You have a good point. Lack of an SDK will only slow attackers down until they develop their own.
Sidenote: There was nothing mentioned in this article about windows except the fact that Safari runs on Windows now and the attacks developed to attack safari might affect safari on the iphone. Please stick to the topic. There is no reason to start another "mac vs. pc" flame war on CNET. There are already plenty of those.
3. He did not say that iPhones are ONLY for consumers. He said that it is being "marketed in a consumer space". From what I can tell, that is Apples approach as of now. That does not mean that business users can't or won't use it or that apple might not change their marketing strategy down the road.
4. (I know you didn't have a "4", but this is just my 2 cents) IT'S JUST A PHONE, RELAX! It kills me how people get all worked up about it. I have a macbook pro and I love it, but I am neither an apple fanboy or a windows fanboy or even a linux fanboy. I do hate windows, personally because it's not how I prefer it. But for some people, it is what they prefer and there is no reason to attack them for that.
PSP has a MIPS processor which is only known by elite of elitest game developers. It didn't stop anyone either.
How come the PSP was a juicy target for crackers/trojan coders? Sony locked down features which people KNEW that device is capable of. Trojans used these.
If people have to use a tiff exploit to install basic, innocent software (not piracy) to their device, some clever evil guys will also get interested in such backdoors too.
Sorry to say , iPhone has nothing to do in a real business environment unless it has at least Exchange (full!), Lotus Notes, VPN and VNC support. Watch how Symbian S60/S80 devices used in corporate environments.
get someone to 'diss' the iPhone (to secure their PC zealots and
fanboys) you might want to get someone to spew a little more
FUD.
Nice interview overall. See if you can get someone to spread
more FUD next time, this was almost objective.
Security has NOTHING to do with Marketshare. That is pure,
unadulterated FUD. There only needs to be an easy mark, such
as a windoze user.
". If the Web is the platform of the future, then cross-site scripting is the next buffer overflow. This is bad news."
http://extra.fortifysoftware.com/blog/2007/06/sorry_apple_wrong_answer.html
usually ibm staff are knowledgeable, detailed & useful in their
comments.
this guy was basically saying: i dont know.
he made vague & inaccurate generalizations about the media
architecture; is unfamiliar with os'x driver architecture; didnt
even know about the process architecture; was confused about
the unix core of os/x (viz exploits in useland); and repeated the
obvious about ajax (but iphone ships with safari V2 not the V3
beta, which is the one with yet unfixed security holes).
the only useful comment he made was about (the virtue of)
firmware updates (and software patches) been automated via the
sync facility in itunes.
the next time cnet wants to interview someone about os/x
security, cnet should interview someone who actually knows
about os/x security.
DUH.
... but in a way this public embarrssment of an ibm staffer is a
good thing: now we will scrutinize more carefully the credentials
of anyone form ibm selected for publication ... clearly the vetting
function at cnet does not work - so it is good to know this in
advance!
The Q&A was lame. I don't recall stories on the pros and cons of
Windows Mobile security. Or of Palm OS security.
Is it possible that there will be issues, yes. It is also possible that
you could get hit by a bus while crossing the street. Now is it an
issue that's worth writing about at this point in time (when you
know nothing about the specific aspects of the issue you're
discussing)? Simple: NO!
This is pure FUD.
IceWEB today announced that its hosted Microsoft Exchange subscription service now supports Apple's iPhone, enabling corporate customers to access company Exchange email systems via their new Apple-branded cellular handsets. IceWEB has worked for months to position its IceMAIL service to fully support the iPhone, which should ease the fears of potential business customers who were rumored to shun Apple's handset due to a lack of interoperability with existing corporate mail systems. IceMAIL enables small and medium business customers to continue receiving hosted Microsoft Exchange email on most smartphones and eases the process of iPhone adoption for businesses fearing complications with the new device. IceMAIL is available from $8.50 per month.
- MS Exchange & Activesync for iPhone
- by Llib Setag July 9, 2007 6:19 PM PDT
- MACWORLD 07.09.2007
- Reply to this comment
-
(15 Comments)IceWeb is offering users a 30-day free trial of IceMail for iPhone. IceMail is a hosted Microsoft Exchange e-mail subscription service.
IceWeb chairman and CEO John R Signorello said that his company?s efforts have been made to make sure that iPhone users have access to an Exchange-based e-mail system even without requiring any infrastructure changes to a corporate IT environment.
?There has been much press regarding how the iPhone might be ?shunned? by enterprise email users because of the lack of perceived compatibilities with Microsoft Exchange implementations. We?re working to ensure this will not be the case,? he said.
There have been rumors that Apple will offer some sort of Activesync connectivity for the iPhone ? Activesync is the push synchronization technology from Microsoft that allows e-mail, contact and calendar sync with Exchange. If this ultimate proves correct, IceWeb plans to offer that capability to iPhone users as well, included with the IceMail subscription.
IceMail service starts at $8.50 per month.