I almost called this article “Aliens Can Listen To Calls on Your iPhone” or “How To Hack Into Every iPhone Ever (Even When They’re Powered Off)”. But then I thought that maybe it would be a bit too much. I’ve been a little melodramatic at times, but that’s when I was younger and needed the rupees. But TechTarget isn’t young (although I don’t know if they need the rupees). I’d like to point out two recent articles of theirs:
- Zaphod wrote this chapter just to mess with you: Apple iOS Security Attacks A Matter Of When, Not If, IT Pros Say
- The Salmon of Doubt would be a much better title for this article: How an iOS virus can infect the enterprise and what to do about it
Let’s look at these headlines and vs the content of the articles. The first, Apple iOS Security Attacks A Matter Of When, Not If, IT Pros Say. The title isn’t actually that bad, (although I don’t know that the IT Pros quoted are worthy of punditry). It’s the headers within the article that set me off a little. “A false sense of iOS security” was the first: Here they said that iOS users are going to run something if it comes out because there haven’t been any vulnerabilities to iOS. Counter argument would be that since a vulnerability *will* (or would) be on CNN, MSNBC, NPR, every web site, every magazine and possibly a PSA on flights, I think they’ll figure it out pretty quick… The next header, “Responding to iOS security attacks” goes on to explain that (to summarize) iOS virus protection blows. OK, we should develop more FUD-based apps to check for viruses of data that those apps would actually have no access to due to sandbox controls.
The next header, “Entry points for iOS security attacks” tells us that someone will exploit HTML5 or post an app with a Trojan or Logic Bomb on the App Store in order to destroy your iPhone as if it were a planet slated for demolition. Each app can only communicate with resources outside of that app using an API Apple allows, an API that doesn’t cause combustion of the phone. If the app goes through the app store then that has to be a public, not private API. It is possible that someone could run a fuzzer against every possible variable exposed by every possible method and come up with a way to do something interesting, like cause the phone to reboot. But that kind of thing is going to be true of every platform and isn’t worthy of the pretense that it’s security consulting. I can dig on the possibility of that kind of vulnerability, but the author then indicates that Apple’s security is 7th worse in the IT industry with a 12% growth in vulnerabilities. Thus an insinuation that people are actually exploiting holes in iOS rather than Google monitoring iPhone user data a bit more than they should…
The second headline is much better though: How an iOS virus can infect the enterprise and what to do about it. Reading it, my first impression was that there was an iOS virus; you know, one written for iOS. But no, they’re talking about a virus that someone sends through your corporate Exchange server that is then copied to your Windows XP computer through the magical XP Virus Stream (like Photo Stream but more specific features for XP) and executes the virus that wipes your computer. I like it. I can dig that virus, but regrettably that virus doesn’t exist. And apparently no good anti-virus exists, according to the article. Why not? Because Apple has overly secured the OS and anti-virus has to be invoked manually.
Over-security is what makes iOS so great for phones. I’m one of those people that likes to hack stuff. And iOS isn’t for hacking around in unless you have jailbroken the device. That’s why my phone always works and I’m able to actually get stuff done on a consistent basis. There are certainly things Apple could do better. But iOS security is a hard one to point the finger at. I would like to see security researchers more warmly welcomed and for the Apple community to see those researchers as people who are building a stronger product rather than the enemy. I would like to see some technical features added or centralized control over features added.
It isn’t just Apple. It’s any company big enough to care about. The tech sites are mostly what I look at, and every time there’s something they think they can hop on with Google or any of the other big names in the tech industry they hop right on that to drive readers, whether well founded or not. Not all tech sites/magazines mind you, just some. And when the company is famous enough (Google, Apple, Microsoft) for mainstream media to care about, all the better…
At the end of the day though, the way to get action is to file a feature request with vendors, not to make up crazy headlines aimed at selling FUD as a means of getting someone to go to your website…