Problem solve Get help with specific problems with your technologies, process and projects.

Does the iPhone SDK effectively increase the risk iPhones pose?

As the iPhone user base grows, it will become a greater and greater target for malware. Learn best practices to mitigate iPhone risk from information security threats expert John Strand.

Now that the iPhone SDK has been out for a while, what are your thoughts on upcoming iPhone security threats? Does the iPhone SDK effectively increase the risk iPhones pose to the enterprise?
I believe that there are going to be more security issues discovered with the iPhone because there is a large user base. And, as we have learned, malware is big business. Attackers are going to attack platforms that have greater numbers.

We have already seen some exploits for the iPhone, the most notable being the Wi-Fi exploit based on the work of Dr. Charles Miller. Miller's research discovered a vulnerability in the version of Safari that is installed on the iPhone. In essence, all that an attacker would need to do is have an unsuspecting user surf to a malicious website. After Safari runs the code on the malicious site, the attacker would have full access to the user's iPhone.

An additional security concern resulting from Miller's research is the lack of memory randomization used by the iPhone. This means that memory locations of applications and processes running on the iPhone will be in consistent locations making attacks like buffer overflows easier to create. It should be noted that Apple Inc. worked quickly with Dr. Miller to patch the Safari vulnerability.

I do believe that having a software development kit (SDK) increases the risk of compromise. Enabling third-party developers to build software for the iPhone is similar to giving a developer the ability to add drivers or kernel modules to an operating system. Because of the ability to install drivers and kernel modules, attackers can create the equivalent of drivers or kernel modules to install malicious code directly into the operating system, making the malware difficult to detect and remove. Platform developers, such as Apple Inc., Microsoft, and the Linux community, want to see their operating systems and applications extended. Remember, extensibility is a good thing, even if it does mean an overall reduction in security. Otherwise, people would need to reinstall their operating systems every time they want to add a new printer.

However, how much greater is the risk now that there is a SDK for the iPhone? Many reverse engineers find it just as easy to patch binaries and find vulnerabilities without a fully developed SDK. Unfortunately, the SDK allows a greater number of individuals to develop applications for the iPhone -- many of them poorly developed. It is all about identifying the risk and striking a balance with business need. Personally, I do not believe that the iPhone poses any greater risk to the enterprise than BlackBerry or Windows Mobile devices do. By having these devices, an enterprise needs to treat them as they would treat their desktops and notebook systems, namely by keeping up to date with patches and the latest potential attack vectors against these devices.

More information:

This was last published in July 2008

Dig Deeper on BYOD and mobile device security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.