iPhone and security - an experts view
It’s always interesting to get expert feedback on a particular subject – especially if it involves something high profile like the iPhone. Mike Hawkes, who is CTO of mobile security experts Broca Communications – and also the security expert in the Exec Committee of the Mobile Data Association – has been in touch, and has this to say.
– – – –
It’s interesting to note that it took only two months from the iPhone’s launch to hackers publishing methods describing how to install applications and access core components within the operating system. Within a couple of weeks of the initial ‘hack’, instructions appeared defining how to unlock the iPhone and use it on other networks. Rumours have it that the iPhone was cracked by a small group of teenagers using college resources in the USA.
This demonstrates how device manufacturers struggle to produce secure handsets – with the right equipment a little know-how, anyone can obtain access to lower-level functions in a handset and change the way they operate. Part of the challenge for the iPhone was that Apple chose to release the device via a single network. In some ways, this helped publicise the iPhone as many bloggers complained bitterly about expensive data plans and limits imposed by Apple and the US telcos. This kept the device in the public eye and, some could also argue that the attempts to crack the device helped keep the publicity engine ticking.
Now that Apple is launching the iPhone in Europe, much is made of the lack of support for 3G or high-speed data access. Given the maturity of the mobile data market in Europe, I remain sceptical as to whether a new user interface is enough to draw large numbers of people away from much more competent devices from companies such as Nokia and Sony Ericsson. Much now relies on ongoing advertising and Apple maintaining a ‘style war’ on their competition – in my opinion, Apple users may adopt the iPhone because it’s an Apple, not because of the underlying technology.
Kudos must go to Apple as it has managed to make headlines by introducing a new mobile device into an already saturated market. The company has also chosen to implement a very limited subset of technologies and restrict application development. The ‘other 3G’ content providers (Girls, Gaming and Gambling), are likely to struggle to support the iPhone and many I have spoken to are unwilling to update portal software or deployment services to support one device without a compelling commercial reason. This, in turn, may affect the device’s appeal for m-commerce and more serious application developers.
From a security viewpoint, the iPhone is no different to any other mobile device. Hackers have already demonstrated the ability to download and execute hostile code – and, as we noted in the past, Apple made itself a target for this type of attack by attempting to prevent programmers from installing code on the device. As with most radio devices, it is also vulnerable to fake-cell (man-in-the-middle), key phishing and over-the-air data theft, making no better than its competition. Some could argue that by locking application developers out of the loop, the iPhone could run a higher risk of viral attack as anti-virus software is more difficult to provide.
All in all, the iPhone is a mobile device and I find it difficult to excited about what, on the face of it, is a less well connected communications device. Its security model has weaknesses and there are many people out to prove that they can, from a software perspective, break the device wide open. The same rules apply to the iPhone as to any other device – turn off anything you don’t need; keep it password protected (and locked when not in use); and, never accept or install anything unless you trust the source.
– – – –
Interesting thoughts, thanks Mike. What do you think? Feedback and comments welcome as always.
