Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

with Editors comment iPhone flaws, first of many because of design issue imo

From: David Farber <dave () farber net>
Date: Mon, 23 Jul 2007 13:21:12 -0400
I am publishing this not to damn Apple but because of a comment made in the referenced aricle that I thinbk is VERY VERY telling. Namely:
"Does this add credence to Apple's position that 3rd party applications are not allowed on the iPhone for security reasons?
We don't think so. Almost all of the security engineering effort on the iPhone seems to have been spent protecting the revenue model, rather than protecting the user (which is, of course, an entirely understandable position). For example, a constrained environment is used to prevent users from loading new ringtones onto the phone, but the applications are not run in a constrained environment to contain damage caused by hackers who exploit them." 

Dave

-----Original Message-----

From: justin [mailto:justin () dslr net]
Sent: Mon 7/23/2007 11:32 AM
To: David Farber
Subject: iPhone flaws, first of many because of design issue imo

Hi, Thought I'd see this on the list today but no so here it is..

iPhone applications all run as root, instead of running under individual
less-privileged uids, therefore a problem with one app compromises the
data on the entire phone.

The coverage today is of a malicious website triggering installation of
software which then can dump the entire phone, if necessary, over the
net - while the user watches a "busy" browser:

http://www.securityevaluators.com/iphone/

There are definitely going to be more of these proof of concepts, and
Apple should re-evaluate the security model it uses (or rather, has
failed to use) in the iPhone before someone creates a real iPhone virus
that is spread via enticement to view mail messages, visits sites,
stumble into public wifi spots with pcs running "iPhone penetrators", or
whatever/wherever the break-in can be triggered.

Note that OSX requires an administration password before the OS can be
modified, and programs running on Macs run under the user-id of the
owner - making a (say) Safari exploit less likely to gain write access
to the underlying OS.

-Justin
dslreports.com

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: