Concerned over Apple iPhone's third-party development and deployment model? Yep.

Concerned over Apple iPhone's third-party development and deployment model? Yep.

Summary: In a much ballyhooed media event, Apple released the iPhone SDK at a press conference last week.  I've been watching the wire to see if other security researchers are as concerned about Apple's development and deployment model as I am.

SHARE:

In a much ballyhooed media event, Apple released the iPhone SDK at a press conference last week.  I've been watching the wire to see if other security researchers are as concerned about Apple's development and deployment model as I am.  They are.

A good friend and colleague at Ernst & Young, Nitesh Dhanjani, made a blog posting about the subject this morning.  If you haven't read and subscribed to Nitesh's blog, you are missing some really great content.  Specifically, you should check out Nitesh's discussions on phising.  So after a shameless plug for a friend, back to the matter at hand.  Nitesh really brought up some relevant points and it will be interesting to see how these concerns flesh out.

Nitesh pointed to a quote from Steve Jobs during the iPhone SDK Press Conference:

If they write a malicious application we [will] track them down and tell their parents.

As Nitesh mentioned, this means that the iPhone applications will need to be digitally signed by Apple and the developers will be required to register with Apple.  What kind of information will Apple require from developers?  How will this information be stored?  How does Apple protect the intellectual property of those developing on their platform?

Further, as Nitesh mentions, Jobs points to a slide (shown below) where he describes what kind of apps will not be allowed on the iPhone:

Apple iPhone SDK

As we dig deeper into this slide, a lot of questions can be raised as to the what, how, and why of Apple's iPhone development limitations.  Nitesh points out three very good points on this:

  • Apple may have a difficult time auditing applications to ensure they meet their criteria. What is the absolute definition of malicious in the given context? Malicious to whom? The end user, Apple, or AT&T? Perhaps all of the above. Now, how does Apple go about obtaining assurance whether a given application is malicious or not? Will someone try out every application that is submitted? Will someone at Apple review the source code of every application to ensure it does not invoke any malicious operations and only calls published APIs?
  • Applications may not run in the background. This is quite likely to be a decision based upon processing resource constraints. Note that Apple's own iPhone applications such as Mail, iPod, and SMS do run in the background.
  • The Unforeseen clause means that Apple reserves the right to ban any application at any time. Will they be reasonable with the developers? I don't see why they wouldn't be as long as it doesn't hurt their bottom line, for example:

11:32AM - We asked: Will SIM unlock software be considered software not allowed in the app store?A: Steve: (pause) "... yes." Laughter.

Perhaps the most interesting concern Nitesh brought up is how does Apple go about obtaining assurance whether a given application is malicious or not?  Obviously some sort of source code audit must be being performed to determine if there are any backdoors, etc., who takes on that responsibility?  Maybe more importantly, who is negligent if a backdoor gets through?

Personally concerning to me is, who is reviewing the security of these applications?  With Apple signing off on these applications, can users reasonably expect the apps to be secure?  Will the previously mentioned source code audit cover vulnerabilities as well as malicious code?  One could make the case that applications like QuickTime, which have been repeatedly targeted and exploited, are as threatening as malicious code.  Will these be reviewed prior to being placed on the iPhone?

With mobile devices, such as the iPhone, being coupled tighter with internal corporate resources, it's clear that there is a great bang-for-the-buck factor for attackers; not to mention that hacking Apple and mobile devices seem to be too very sexy subjects for security researchers right now.  It will be interesting to see how Apple's development and deployment model stand up to attacks.

-Nate

Topics: Apps, Apple, Browser, iPhone, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • IE input exploit?

    AVG says that blogs home page uses an IE input exploit and locked the page out.

    Should we be concerned that you post a link to it?
    happyfirst
    • RE: IE input exploit?

      Hahaha, no idea what you are talking about man. What blog? I've had no problem with any of the links.
      nmcfeters
      • What blog?

        Are you kidding me? The blog that your article references AND links to in the second paragraph? Your 'shameless' plug?

        No problem? Do you use AVG software? If not, then either you're not as protected as you THINK you are or AVG has an bug/issue or Nitesh Dhanjani has a valid reason to need to use that exploit?
        happyfirst
        • RE: Hahaha

          Wake up and smell the hype! I guess that goes to show you how good your anti-virus is. Nitesh is a well-respected security expert. He has an activex control on his site that allows you to chat with him, that's the only thing I can think of that would flag any kind of issue in an AV product. I have Symantec AntiVirus and I only get an issue about loading an activex control. Perhaps the activex control kills your AV somehow.

          >>Do you use AVG software? If not, then either >>you're not as protected as you THINK you are >>or AVG has an bug/issue or Nitesh Dhanjani >>has a valid reason to need to use that >>exploit?

          You are using AVG software? Maybe you are LESS protected than you think. In any case, not everything that an AVG flags is a hacking attempt.

          -Nate
          nmcfeters
          • not everything that an AVG flags is a hacking attempt.

            I agree. But false positives (even very rare ones like this one) are still SAFER than letting stuff pass through. Again, it could be just a bug in their software that translates into a false positive. I doubt't I'm LESS protected with a false positive if that's what it is. It didn't kill AVG. It just warned me and I said no to the site. Was the first time I'd ever gotten warned clicking on a link from your site.

            Of all the things for a "security expert" to do, put an activex control on their page.
            happyfirst
          • RE:

            Well, you're just falling into the hype man. Not all ActiveX controls are insecure. Also, the tone you use is all wrong. Nitesh is a widely respected security expert. He's spoken at a ton of conferences, including Black Hat, and he's written several books on the subject. The point is, it's good you are using an AV product, but don't take everything it says as the word of God. The fact that a website is loading an ActiveX control doesn't necessarily mean you're getting owned.

            -Nate
            nmcfeters
          • Not all ActiveX controls are insecure.

            I agree. Sorry about my "tone". Didn't realize it was all wrong. Let's see, I clicked on a link from your site, got warned, and told you about it. In your first reply, you basically laughed back at me and don't even know what blog I'm talking about. In my initial post, I even went out of my way to state that it could be an issue with AVG software. You're basing everything on the fact that you know him. I do NOT know him. I have to trust you. How do you know his site didn't get hacked? It's happened before. A trusted blog is a good place to hack and try to use to spread something around.

            Google "security experts activex" and the first page is littered with comments about how security experts says to turn off ActiveX. It's funny because my initial issue wasn't the about the ActiveX. It was about something else going on in his home page that my AVG was saying was a known exploit technique. Something to do with an input field.

            I can understand security experts telling people to turn off activex as extreme as that sounds. It's completely different though for one to then go and put one on their home page.
            happyfirst
          • Nothing is worse in the security world

            than a false positive.
            rtk
          • Wouldn't false negative be worse?

            Are you better off dealing with an annoying false positive? Or a false negative that actually lets the malware through?
            happyfirst
          • Don't interact with the security world much, eh?

            A false positive is NOTHING compared to a false negative. One is time consuming, one is potentially catastrophic AND time consuming.
            KTLA
    • No link to "Disclosures" either

      I went to Nate's "Disclosures" link and that didn't work either,
      gave error message........
      Deanbar
      • RE: No link to "Disclosures" either

        No idea what you are talking about here man. Could you expand on that? What "Disclosures" link did I pass along that isn't working?

        -Nate
        nmcfeters
  • RE: Concerned over Apple iPhone's third-party development and deployment model? Yep.

    What blog? Are you kidding me? The blog that your article references AND links to in the second paragraph? Your 'shameless' plug?

    No problem? Do you use AVG software? If not, then either you're not as protected as you THINK you are or AVG has an bug/issue or Nitesh Dhanjani has a valid reason to need to use that exploit?
    happyfirst
    • RE:

      Double-post, see my response in your original thread. I would say this is a case where your anti virus is fooling you.

      -Nate
      nmcfeters
  • The future of computing..

    ...asking The Company for permission to author, distribute and run an application.

    Sheesh. Let's hope other mobile OS/device makers continue to value the flexibility of users.
    KTLA
    • RE: The future of computing...

      Yeah, I imagine it may be painful for developers. Although, I will say this, done properly, this could cut down on third-party flaws. If you contrast this with Microsoft's method, which allows third-parties to develop whatever they want, I think some of the value of it comes out in terms of security. I prefer the freedom myself, but maybe something in the middle of both makes sense.

      -Nate
      nmcfeters
  • seem like Apple is opening up to being sued...

    by acting as gate keeper like that they seem to be in a way warrantying the software against defects ... so any potential law suite basically then sit in their lap.. don't know how wise that is.. but it seems to only hurt them and gets developers off the hook a bit.. well i guess user sues Apple, then Apple could turn around and sue the developer... in any case doesn't seem that wise to me.
    doctorSpoc
    • Legal Matters

      Yes, legal matters are very concerning with their model. I'm certain their lawyers will eat up tons of dollars creating documentation to protect them, but it is concerning.

      -Nate
      nmcfeters
      • security concerns may...

        be overblown. Communication between iPhones
        and iTouch devices isn't like Windows or other
        desktop computers. Therefore any replicating
        malware that escapes Apple's screening will not
        spread widely. If a given program does turn out to
        be a malefactor, it can be quickly removed from
        the store.
        Security researchers will likely screen programs
        and want to sell anti-malware software. They will
        inform Apple if and how certain software may be
        malicious.
        arminw
        • RE:

          I tend to disagree with you severely here. If I infected an iPhone and it was attached to a corporate infrastructure, I would have a platform for further exploitation into the network.

          Also,

          >>Communication between iPhones
          and iTouch devices isn't like Windows or other
          desktop computers

          Would you care to clarify on what you mean by that? I've not seen a whole lot limiting what the iPhone is capable of doing.

          -Nate
          nmcfeters