Interesting People mailing list archives
with Editors comment iPhone flaws, first of many because of design issue imo
From: David Farber <dave () farber net>
Date: Mon, 23 Jul 2007 13:21:12 -0400
I am publishing this not to damn Apple but because of a comment made in the referenced aricle that I thinbk is VERY VERY telling. Namely:
"Does this add credence to Apple's position that 3rd party applications are not allowed on the iPhone for security reasons?
We don't think so. Almost all of the security engineering effort on the iPhone seems to have been spent protecting the revenue model, rather than protecting the user (which is, of course, an entirely understandable position). For example, a constrained environment is used to prevent users from loading new ringtones onto the phone, but the applications are not run in a constrained environment to contain damage caused by hackers who exploit them."
Dave -----Original Message----- From: justin [mailto:justin () dslr net] Sent: Mon 7/23/2007 11:32 AM To: David Farber Subject: iPhone flaws, first of many because of design issue imo Hi, Thought I'd see this on the list today but no so here it is.. iPhone applications all run as root, instead of running under individual less-privileged uids, therefore a problem with one app compromises the data on the entire phone. The coverage today is of a malicious website triggering installation of software which then can dump the entire phone, if necessary, over the net - while the user watches a "busy" browser: http://www.securityevaluators.com/iphone/ There are definitely going to be more of these proof of concepts, and Apple should re-evaluate the security model it uses (or rather, has failed to use) in the iPhone before someone creates a real iPhone virus that is spread via enticement to view mail messages, visits sites, stumble into public wifi spots with pcs running "iPhone penetrators", or whatever/wherever the break-in can be triggered. Note that OSX requires an administration password before the OS can be modified, and programs running on Macs run under the user-id of the owner - making a (say) Safari exploit less likely to gain write access to the underlying OS. -Justin dslreports.com ------------------------------------------- Archives: http://v2.listbox.com/member/archive/247/=now RSS Feed: http://v2.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- with Editors comment iPhone flaws, first of many because of design issue imo David Farber (Jul 23)