iPhone OS 4.0 security fear, uncertainty and doubt
It is inevitable. With every mainstream technology news, comes at least one security company that wants to piggyback on it and introduce themselves to the world by making statements that make me cringe.
Instead of hearing about genuine problems and viable solutions, we’re bombarded with speculation and fierce theories aimed at shining the spotlight on a solution or service. Even bad publicity is still publicity, right? Sadly for them, this is not show business.
The announcement of iPhone 4.0 software last week was followed by a lot of security speculation, yet only one company decided to fill my inbox with theories that I see as nothing but a misplaced marketing strategy.
The marketing fail
Let’s take a look at their e-mail (in italic) with my comments below.
The move to multi-tasking on the iPhone opens up all sorts of hacker and mischievous possibilities on the Apple handset, as users can be interacting with an app in the foreground, whilst the iPhone does all sorts of things in the background, says Richard Kirk, European director of Fortify.
And this is because we’ve seen a ton of malicious software coming from the App Store? Multitasking is going to somehow influence the (by many deemed too) rigorous App Store approval process and bring nothing short of the cybercriminal underground into your iPhone?
According to Kirk, the potential for such malware can clearly be seen with a new Windows Mobile game called `3D Anti-terrorist action,’ which reportedly dials expensive international phone calls in the background, whilst the user plays the game on their smartphone.
Comparing apples to oranges, aren’t we? Once again, what does a Windows Mobile game have to do with the iPhone and the App Store approved games? As much as the Redmond giant would like to have Windows Mobile considered remotely in the same category with the iPhone, there’s no approval for apps on their platform.
We might as well say that a Sudoku game that runs on Ubuntu Linux might be insecure because there’s a Trojan being delivered with a Sudoku game that runs on Windows XP. It’s certainly possible, but is it likely?
The Terdial trojan is one of the first to take fraudulent advantage of the multi-tasking aspects of the Windows Mobile platform and Fortify fully expects to see other trojans plus malware used in future iPhone apps.
Logic at its finest. If there’s a Trojan for Windows Mobile there will be Trojans and other malware in future iPhone apps. Following the same logic, if a car manufacturer has a certain problem with its cars, all other manufacturers will have the same problems with their cars.
I’m not saying there will never be any malware for the iPhone, but years have passed and we’re still waiting for that swarm of malware the anti-malware industry has been talking about for years. Guess what? No soup for you!
A growing number of iPhone users are unlocking their handsets from their cellular carrier and the Apple iTune store, to allow them to run third-party sourced software, which is not checked by Apple Computer for its provenance.
These are hacked devices and are not used as built and intended and therefore cannot and should not be put in the same basket as the iPhone sold by Apple. Also, is Fortify really pushing the idea of enterprises using a fleet of hacked devices? If there’s an organization out there willing to deploy their corporate applications on such devices, they have much bigger management problems than checking the source code of possibly suspicious software, software intended to run on hacked (modified) devices.
The worm
Some will come out and say: “Wait! What about that worm? Remember?” Well, dear friends, that affected unlocked (modified) iPhones and in my book, that doesn’t have anything to do with Apple or the “regular” iPhone.
Let’s say you have a new car and you pull out the airbags to make room for a complex entertainment system. This would be beyond specification and outside the security testing done before the car is made available on the market. Then you end up in a serious accident because the lack of airbags. Is the the car manufacturer’s fault?
There’s no marketing firm telling me about the perils of using Nokia’s Maemo and how its applications could have a variety of hidden dangers just waiting to infect every corner of the enterprise. Why the iPhone? Because it’s newsworthy.