The iPhone crack’d: are Apple security’s halcyon days over?

David Braue
12 November, 2009
View more articles fromthe author
AAA
Blogs

Australia has a small but growing number of successful iPhone developers, but Wollongong-based developer Ashley Towns made global headlines this week for all the wrong reasons after developing the first iPhone virus capable of infecting and spreading itself amongst jailbroken iPhones.

Now, since you are likely a good, respectful Apple user, you no doubt listened to your mother when she told you to keep your elbows off the table, chew your food properly, and – above all else – to never jailbreak your iPhone. But if you went and did it anyway, Towns’ Ikee virus was a reminder that some things were never meant to be broken.

While Towns’ original, playful design did little more than load a picture of Rick Astley onto the device, it took just a few days before, true to warnings, the inevitable flood of imitators began. And the second time around, things weren’t so pretty (or, as the case may be, pretty-boy): a data-stealing iPhone attack using a similar attack vector actually can do some nasty things to your phone.

Virus attacks on smartphones have been recognised as a possibility for years, leading Symantec, Kaspersky Labs, and a host of other providers to issue largely pointless security software for Windows Mobile and other phones. Until this week, such software was utterly pointless on an iPhone – not the least reason because Apple doesn’t let developers write background processes, but more pointedly because it simply wasn’t necessary.

It still isn’t necessary, since Towns’ folly only affects jailbroken iPhones running specific applications; and if you’re savvy enough to jailbreak your iPhone, you really should be savvy enough to change your default passwords. If not, well, you won’t get much sympathy.

The real problem with Towns’ success is that it has put another conceptual chink in the perception of Apple’s bulletproof armour. It’s a perception Apple has worked hard to maintain for years, even going so far as to brag about its security in its commercials (for example, here and here.

I recently sat down to talk shop with Nick FitzGerald, an antivirus industry guru currently working as emerging threats researcher with online security firm AVG. This is a man who lives and breathes security, and his assessment of Apple’s prospects was bruisingly frank. “I don’t think you will see a new Macintosh ad where the I’m a Mac and I’m a PC guys talk about security in the insanely naïve way they have up to now,” he said.

“With the new version of Mac OS X,” he explained. “Apple have opened the door: they publicly acknowledged that there were malware issues for the Mac. They built into the OS a mechanism to block two, and only two, of the more common and well-known Mac Trojans that aren’t actually much of an issue now. But they have opened the crack wide and someone will be driving a wedge into it real soon now.”

Of course, Mac OS X and iPhone security are two different beasts entirely – but the fact that hackers are slowly, surely learning more about their internals should at least raise a warning flag with users. If your iPhone isn’t jailbroken, of course, these attacks aren’t an issue because Apple has gone out of its way to wrap those sensitive bits of the phone in digital cotton wool.

The venerable Mac, however, faces other issues – and Mac-specific viruses rate pretty low on that scale. With AVG reporting that the number of new, malicious Web pages being set up every day had jumped from 100,000 early this year to around 300,000 new pages per year, the sheer scope of the problem continues to grow unabated.

“There is a significant amount of bad stuff that happens out there that doesn’t actually care what operating system you’re using,” FitzGerald said. “It’s a much bigger picture than saying ‘There’s a lot of malicious software out there for Windows, therefore I don’t have to worry because I don’t use Windows’.”

While Macs may remain more generally virus-free than their Windows counterparts – and more so after Apple released its latest security (and other) updates this week – using a Mac is hardly automatic protection against the evils of the Internet. Antivirus vendors continue to launch Mac-specific security solutions – Kaspersky Labs recently joined McAfee and Open Door Networks to launch a new offering into the pantheon of Mac antivirus solutions.

Sceptics will scoff at the need for such solutions, and indeed with so few in-the-wild attacks specifically targeting Macs the need for such solutions is still largely prophylactic. But security professionals like FitzGerald believe it’s only a matter of time before hackers start pounding on that wedge – and the crack becomes a fissure, or worse.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us