The pros and cons of iPhone security

Neel Mehta, a researcher with IBM's ISS X-Force, talks about the good and the possible bad security that might face Apple's new smart phone.
Written by Robert Vamosi, Contributor
Few people standing in line to buy an iPhone Friday will be focusing on the security of Apple's new phone. But some influential security researchers already have given the matter lots of thought.

Take Neel Mehta, a security expert at IBM's Internet Security Systems, which typically focuses on perimeter security for large corporations.

Overall, Mehta thinks the iPhone's security will be better than other smart phones on the market, and he credits the lack of a software developer kit (SDK) from Apple as a definite positive. The absence of an SDK will make writing malware much more challenging, he said, and inexperienced criminals will be scared off. "It doesn't make it impossible," Mehta said, "just harder."

Mehta thinks the iPhone will attract a more sophisticated criminal who's attracted to the challenge of hacking a complex system. Also, with Symbian OS-enabled phones currently occupying 40 to 50 percent of the world market, most petty thieves will still be drawn to the lower-hanging fruit.

In advance of iPhone's release, CNET News.com spoke to Mehta about the pros and cons of iPhone security.

The iPhone is likely to be one of the most complex smart phones that we've seen to date. As such, it will be challenging to have to a completely secure code base.

Q: What is the biggest security threat to the iPhone?
Mehta: The number of eyes that will be drawn to the iPhone platform itself and all the applications that run on it, that's probably the biggest security risk for the iPhone itself in that it will be undergoing a tremendous amount of scrutiny, probably more so than any of these applications have seen before. In the end, we'll get a better understanding of how secure the entire code base is and how these applications withstand thousands of eyes looking at them.

Do you think some early adopters will be targeted by criminals online? Early iPhone users by definition are going to be wealthier than the average person. And for a criminal, there's bound to be payoff in stealing the personal data of someone like that.
Mehta: The people who are going to buy (the iPhone) are the people who have $500 to spend on a smart phone and are fairly technology savvy as well. Again, it's a phone and its also, from my understanding, being marketed in a consumer space, and has features that are much more attractive to consumers instead of businesses in terms of the ability to download and play media of all different types on it, and so on.

So businesses will likely have employees that use it, but in terms of sanctioned IT use within an enterprise environment it's probably not going to be that common. It's always possible that there will be attackers who will launch sophisticated attacks against someone with an iPhone, but there are a lot of other mobile devices that are much more common within an enterprise environment, such as the BlackBerry for example, that are more interesting targets--at least in the short term.

You mentioned that the iPhone's being marketed as a consumer phone. That means there will be a lot of media-rich applications preinstalled. How will that affect the overall security of the device?
Mehta: You can look at it as a portable computing device, more so than any other mobile phone, in its traditional sense, so it is going to have to understand many different types of multimedia formats. It will be able to play audio, video, pull that content off the wireless network, or off a PC that it's connected to. It will also understand e-mail. It will contain, possibly, a full-featured version of Mac OS X, and so the complexity of the device makes it more challenging to secure.

News.com Poll

Calling plan
Will you buy an iPhone?

Are you kidding? I'm in line now
The next time I'm at an Apple store
After I read the reviews - maybe
When someone other than AT&T is the carrier
Not till the price is under $200
No 3G? No way!

View results

We're seeing this with all the different smart-phone platforms--as they become more complex, have more features built into them, they also have more opportunities for hackers to break into them. The iPhone is likely to be one of the most complex smart phones that we've seen to date. As such, it will be challenging to have a completely secure code base…And so we'll likely see the need for updates for the iPhone as flaws are discovered.

Speaking of flaws, there have been a few exploits developed recently for Mac OS X vulnerabilities. Mac OS X is based on Unix. Isn't it likely, with the increased interest in Mac OS, that someone will start porting over existing Unix exploits and trying them against the Mac?
Mehta: Mac is based off or derived from BSD Unix. The OS X that's running on iPhone will most likely be derived from the same original code base. But, the one thing that will probably be a huge factor in how easy it is to port exploits over is the processor that's in the phone. At the moment we don't know for sure what that processor will be. If it's an Intel-based processor, then it will be very similar to the current generation of Mac computers. There probably won't be that much difficulty for attackers to port exploits from existing Mac platforms over to the iPhone.

But if it turns out to be an ARM processor, for example, that's different. ARM has the biggest share of the processor market for mobile devices. That may be something a little bit new for the people who have been writing exploits for the Unix environment or for the Mac computing devices. If there's a change in processor architecture, it may take them a little bit of time. It's something that attackers who are determined will overcome. I think that Apple has been very tight-lipped about the underlying processor that will be running on the iPhone. I suspect that we will find out on Friday. Before then we're just guessing.

I'm sure someone will open the iPhone up shortly after launch and report everything they find inside. Apple has already talked a little about updating the iPhone software or firmware. Everything from activation to updates is to be handled through iTunes, right?
Mehta: The iPhone will likely be connected to a PC quite frequently, and the update mechanism for other Apple devices that are connected to the PC, such as the iPod, is very robust and very user-friendly. If you want to update the program on your iPod, for example, if you connect it to your PC, it's just one click to update the firmware within the iTunes software. Some of that people take for granted in terms of its peers but it's really not that common to have a good update mechanism for a smart phone. And that's one of the biggest problems for a lot of the smart phones out there--there's no easy way to update. And, so, if you ask a lot of people with a smart phones when was the last time they patched their smart phone, most of them would look at you like you're crazy because very few of them have done it.

In many cases there is no over-the-air update mechanism, and also these phones are not connected to the PCs with the specific purpose of its own firmware updates. Some of the firmware updates (for smart phones) require you to back up all of your contacts and data on the device, wipe the entire device, and so on. All of these things contribute to updates for other smart phones being very infrequent.

It's very likely that vulnerabilities that are found for Safari for Mac or Safari for Windows will also affect the iPhone.

If Apple makes updating the iPhone as easy as it has made updating some of the other devices (like the iPod), it'll have a leg up on other smart phones in terms of installing patches and keeping it up to date, even if security vulnerabilities are there. I think that's a positive as well. The only other smart phone that has that to any degree is the BlackBerry, platform where updates can push from the enterprise server, and be managed by corporate IT. But outside of that most smart phones are very hard to update, and they require you to manually search for updates on your own and let you install them by yourself.

So the iPhone will be easy to keep patched, but it seems there's another exploitable weakness--the browser. Even if you have a fully patched browser, there are still ways for criminals to hijack the Ajax processes on Web 2.0-enabled sites, for example, and link iPhone users to malicious code. But that's assuming the Apple Safari browser is not itself vulnerable, right?
Mehta: Yes. You're absolutely right. If you look at the history of browser security for the last year or two, it's been absolutely terrible. And that's because browsers are enormous and very complex applications. One of the things we do know about the iPhone is that the Safari browser will definitely be on it. And the only documented way for third parties to develop applications for the device will also be through Safari and through Ajax. So it's very likely that vulnerabilities that are found for Safari for Mac or Safari for Windows will also affect the iPhone.

I think that's just a small piece of the bigger potential security risk being that having an iPhone based on Mac OS X gives attackers the ability to go and analyze any shared application that might be on a Mac, and analyze it on a familiar platform that they understand very well, and then try and extend that knowledge or port it over to the iPhone. We'll likely see that there will be a parallel stream of updates for the Safari browser on both Mac and on the iPhone, and for other applications within OS X that run both on the Mac and on the iPhone. Even though it's a closed platform, it will have a certain degree of transparency because of the shared code base with other platforms.

I would also guess that less sophisticated attackers will likely try and look at the applications on the Mac platform or the Safari browser on Windows and then simply try the exploits that they create against the iPhone and see if they work. We've already seen some public speculation that the Safari vulnerabilities will affect the iPhone prior to its release.

Editorial standards