10 million iPhones = An ideal platform for malware

Let's make a few assumptions. First off, let's assume that Steve Jobs is bang on right and the iPhone will be a massive success. Let's assume that it will be the biggest thing since the iPod. Let's also assume that Steve's right when he says that Apple can shift 10 million iPhones over a year and capture 1% of the cellphone market. If everything works as Steve Jobs sees it playing out, then he'll be responsible for having created one juicy platform for malware writers.

OS X doesn't dominate any market it's in, but the iPhone might, and that will be the key difference when it comes to malwareHave you ever wondered why you don't regularly come into contact with malware when using your cellphone? One of the main reasons is that no single cellphone has managed to gain enough of a market share to become a large enough platform for malware to leverage. The current cellphone market is diverse and fragmented across a multitude of platforms. Even if you confine yourself to looking at a single specific platform, you'll come across totally incompatible sub-platforms. The fact is that it's tough enough to write legitimate mobile applications using something like J2ME (Java2 Micro Edition) that'll work smoothly across a small number of phones. The combination of an abundant lack of standards and the number of companies competing aggressively means that no single platform has managed to capture enough users to create a critical mass. If legitimate applications written by legitimate programmers find it difficult to work across platforms, what chance do the malware writers have of coming up with code that works over a enough phones to make their efforts worthwhile? It’s negligible at best. The current state of play offers security. Sure, it’s security through obscurity, but so far it’s served us well. As it stands now, owning a cellphone is relatively risk-free and doesn’t open a door to malware.

But Steve Jobs wants to change how things are. He is not happy with entering the cellphone market in a small, reserved way. He wants to enter the market with a bang and hopes that within 12 months Apple will be able to create a dominant platform where one didn't exist before. If things work according to plan, by the end of 2008 we'll see a mobile platform large enough to make it a worthwhile target for malware and cyber criminals. And don't think that this won't happen. A platform of 10 million users, all of whom will have spent $600 on a cellphone is a group well worth targeting.

Now Apple's counter to this is to put restrictions on the running of third-party code on the iPhone. A few weeks ago at D 2007 Steve Jobs told Walt Mossberg the reason why Apple placed restrictions on the iPhone’s capability to run third-party code:

This is an important tradeoff between security and openness. We want both. We're working through a way... we'll find a way to let 3rd parties write apps and still preserve security on the iPhone. But until we find that way we can't compromise the security of the phone.

I've used 3rd party apps... the more you add, the more your phone crashes. No one's perfect, and we'd sure like our phone not to crash once a day. If you can just be a little more patient with us I think everyone can get what they want.

Personal note: The part where Jobs says "I've used 3rd party apps... the more you add, the more your phone crashes" strikes me as peculiar. What third party apps? The iPhone's not even out yet but Jobs is blaming crashes on random applications. That statement more than any other gives me the impression that the cut-down version of OS X on the iPhone might be too cut down to run much beyond what is already bundled – and more than likely that been tweaked with so it will run on the iPhone.

Now while this might be ample security to prevent people with nothing better to do from tinkering with the iPhone and running their own code (and possibly causing the iPhone to crash, something that Steve Jobs is keen to avoid, and more seriously, causing disruption to the cellphone network), it's going to have to be watertight if it's going to keep hackers out. You can expect that hackers will be looking closely for any weakness and will hammer relentlessly at any that are discovered. Just because Apple has had a good security track record with OS X doesn't guarantee that the iPhone will be as lucky (OS X doesn't dominate any market it's in, but the iPhone might, and that will be the key difference when it comes to malware). In fact, given that they’re rushing iPhone out of the doors at Cupertino, the chances of coding blunders are high. It's certainly not a platform I'd like to integrate into a corporate or other critical environment until many of the bugs, especially security bugs, have been shaken out.

So, those who buy into the iPhone phenomenon could find themselves having bought into a platform that gives them more than they'd bargained for. Malware, security vulnerabilities and patches could become a way of life for the iPhone early adopter. Personally, I'm happier using a cellphone that isn't part of such a big ecosystem. I feel safer that way.

Thoughts?