• Home
• Topics
• Enterprise Network Security
• Wireless Network Security: Setup and Tools
• Handheld and Mobile Device Security Best Practices
• Does the iPhone SDK effectively increase the risk iPhones pose?

Does the iPhone SDK effectively increase the risk iPhones pose?

Requires Free Membership to View

Login



SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

Michael S. Mimoso, Editorial Director

• E-mail Address: 

By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

We have already seen some exploits for the iPhone, the most notable being the Wi-Fi exploit based on the work of Dr. Charles Miller. Miller's research discovered a vulnerability in the version of Safari that is installed on the iPhone. In essence, all that an attacker would need to do is have an unsuspecting user surf to a malicious website. After Safari runs the code on the malicious site, the attacker would have full access to the user's iPhone.

An additional security concern resulting from Miller's research is the lack of memory randomization used by the iPhone. This means that memory locations of applications and processes running on the iPhone will be in consistent locations making attacks like buffer overflows easier to create. It should be noted that Apple Inc. worked quickly with Dr. Miller to patch the Safari vulnerability.

I do believe that having a software development kit (SDK) increases the risk of compromise. Enabling third-party developers to build software for the iPhone is similar to giving a developer the ability to add drivers or kernel modules to an operating system. Because of the ability to install drivers and kernel modules, attackers can create the equivalent of drivers or kernel modules to install malicious code directly into the operating system, making the malware difficult to detect and remove. Platform developers, such as Apple Inc., Microsoft, and the Linux community, want to see their operating systems and applications extended. Remember, extensibility is a good thing, even if it does mean an overall reduction in security. Otherwise, people would need to reinstall their operating systems every time they want to add a new printer.

However, how much greater is the risk now that there is a SDK for the iPhone? Many reverse engineers find it just as easy to patch binaries and find vulnerabilities without a fully developed SDK. Unfortunately, the SDK allows a greater number of individuals to develop applications for the iPhone -- many of them poorly developed. It is all about identifying the risk and striking a balance with business need. Personally, I do not believe that the iPhone poses any greater risk to the enterprise than BlackBerry or Windows Mobile devices do. By having these devices, an enterprise needs to treat them as they would treat their desktops and notebook systems, namely by keeping up to date with patches and the latest potential attack vectors against these devices.

More information:

• SSL encryption for iPhone email transmissions: How necessary is it?
• Learn about proof-of-concept mobile device malware and its relation to iPhone security.

Dig Deeper

This was first published in July 2008

More from Related TechTarget Sites

• Security Channel
• Cloud Security
• SMB Security
• Financial Security
• Security UK
• Security AU
• Security IN

• Security Channel

  • Survey results: VARs report customers’ IT spending 2012 expectations

    VARs expect customers to increase spending on security more than any other IT area in 2012. See which security segments will grow the most.

  • Create a computer security blog to attract and retain customers

    Blogging can produce new leads for security solution providers. Focus on content in your computer security blog that connects with customers.

  • Penetration testing tutorial: Guidance for effective pen tests

    This penetration testing tutorial contains essential tips to help solution providers uncover vulnerabilities in clients’ networks.

• Cloud Security

  • SaaS security: Weighing SaaS encryption options

    A look at SaaS encryption techniques and challenges.

  • Panel debates cloud computing governance issues

    Problems with data governance in the cloud aren’t much different than traditional outsourcing.

  • The proposed EU data protection regulation and its impact on cloud users

    Cloud customers and cloud providers would face stricter data security requirements under draft European regulation.

• searchMidmarketSecurity

  • Windows Phone 7 security: Assessing WP7 security features

    Windows Phone 7 security features are proving to be a mixed bag. Sam Cattle assesses the enterprise security pros and cons of the latest Windows mobile platform.

  • Choosing the best security certifications for your career

    Whether starting your career or planning your next step as an IT security professional, this tip will guide you toward the best certifications for your interests and experience.

  • Midmarket security tutorials

    SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.

• searchFinancialSecurity

  • Web application threats: What you really need to know

    In this special presentation, Mike Rothman details today's top Web application threats and pragmatic methods to integrate security into the Web application development process.

  • Ramnit worm variant now dangerous banking malware

    The Ramnit worm now supports man-in-the-middle attacks, giving cybercriminals the ability to drain a victim’s bank account.

  • SIEM vendors make the case for extending SIEM product capabilities

    Advanced features can reduce the threat of wire fraud. New rule sets can be shared among banks and credit unions.

• Security UK

  • Web application vulnerability statistics show security losing ground

    New Web application vulnerability statistics show the number of vulnerabilities is rising, despite the use of Web application development frameworks.

  • Microsoft spurs Browsium to rewrite tool for running IE6 on Windows 7

    Microsoft has spurred Browsium to rewrite its tool for running IE6 on Windows 7, limiting the security threat posed by continued use of IE6.

  • How to apply PCI DSS guidance to virtualisation technology

    Learn how to apply best practices from the recently released PCI DSS virtualisation guidance to your virtual environment.

• searchSecurityAU

  • AISA launches new website

    With a reinvigorated look and feel, improved back-end infrastructure, and regularly updated information about the association the Australian Information Security Association website has been re-launched for the benefit of its members and the Australian IT Security industry.

  • Cisco hardening guides for IOS, IOS-XR and NX-OS devices

    Patching routing and switching infrastructure in any organisation is often delayed, sometimes due to the potential impact on production systems and sometimes because the IT resources are simply too busy fighting fires.

  • Cloud providers and data sovereignty issues

    Australian cloud provider Ninefold warn that understanding who has legal access to company and personal private data is not as simple as checking a box and selecting the 'in-country' option.

• Information Security

  • IDFC’s information security awareness week tastes success with ‘Mr Gobo’

    Financial major IDFC set out to craft its information security awareness initiative with a portal that led users via a ‘Mafia don’s den’. Step in for more.

  • Longstanding security problems plague enterprises, Trustwave finds

    While organizations focus on mobile security and other emerging threats, an analysis of more than 2,000 penetration tests conducted by Trustwave found older threats often overlooked.

  • Backtrack 5 PDF tutorial compendium: A pen-tester’s ready reckoner

    Our BackTrack 5 PDF tutorials collection will help you hone your edge, whether you are a security professional or an enthusiast. Best yet, they are free!

• About us
• Contact us
• Site index
• Privacy policy
• Advertisers
• Business partners
• Events
• Media kit
• TechTarget corporate site
• Reprints
• Site map