We have already seen some exploits for the iPhone, the most notable being the Wi-Fi exploit based on the work of Dr. Charles Miller. Miller's research discovered a vulnerability in the version of Safari that is installed on the iPhone. In essence, all that an attacker would need to do is have an unsuspecting user surf to a malicious website. After Safari runs the code on the malicious site, the attacker would have full access to the user's iPhone.
An additional security concern resulting from Miller's research is the lack of memory randomization used by the iPhone. This means that memory locations of applications and processes running on the iPhone will be in consistent locations making attacks like buffer overflows easier to create. It should be noted that Apple Inc. worked quickly with Dr. Miller to patch the Safari vulnerability.
I do believe that having a software development kit (SDK) increases the risk of compromise. Enabling third-party developers to build software for the iPhone is similar to giving a developer the ability to add drivers or kernel modules to an operating system. Because of the ability to install drivers and kernel modules, attackers can create the equivalent of drivers or kernel modules to install malicious code directly into the operating system, making the malware difficult to detect and remove. Platform developers, such as Apple Inc., Microsoft, and the Linux community, want to see their operating systems and applications extended. Remember, extensibility is a good thing, even if it does mean an overall reduction in security. Otherwise, people would need to reinstall their operating systems every time they want to add a new printer.
However, how much greater is the risk now that there is a SDK for the iPhone? Many reverse engineers find it just as easy to patch binaries and find vulnerabilities without a fully developed SDK. Unfortunately, the SDK allows a greater number of individuals to develop applications for the iPhone -- many of them poorly developed. It is all about identifying the risk and striking a balance with business need. Personally, I do not believe that the iPhone poses any greater risk to the enterprise than BlackBerry or Windows Mobile devices do. By having these devices, an enterprise needs to treat them as they would treat their desktops and notebook systems, namely by keeping up to date with patches and the latest potential attack vectors against these devices.
This was first published in July 2008