0

Apple has this week released a software update for the iPhone which addresses a total of five security vulnerabilities. But not, it would seem, the small matter of a year old glitch which could turn your iPhone into a spyPhone.

First the good news, Apple has released iPhone OS 3.1.3 which seals five security holes, including three which if it were a Microsoft update would come with the 'critical vulnerability' label firmly attached.

These include another iPhone recovery mode memory corruption issue that "exists in the handling of a certain USB control message" which could apparently enable data from a lost iPhone to be recovered even if that iPhone were 'locked' when found. There's also one concerning "playing a maliciously crafted mp4 audio file" which may "lead to an unexpected application termination or arbitrary code execution" and another that does likewise for a "maliciously crafted TIFF image". Not forgetting the by now almost obligatory WebKit patch of course.

More good news is that iPhone 3.1.3 also improves battery level reporting (if not battery life itself) as well as fixing a glitch which was preventing some third party apps from launching properly.

But that's pretty much where the good news ends, especially if you listen to Nicolas Seriot from the Swiss university of Applied Science who has warned that a year old flaw still exists which could enable malicious applications to be downloaded and installed. Apps which could turn that iPhone into a spyPhone by monitoring your movements and stealing your data.

Despite a partial fix in the iPhone 2.1 update back in 2008, which Seriot claims was in response to contacting Apple with his concerns, the risk still remains - as proven by the spyPhone application. Ah yes, like all good security researchers these days, Seriot is spilling the beans at Black Hat and has developed a rogue spyware app to prove his point.

The proof-of-concept spyPhone app is open source and will not only access the most recent searches made on the iPhone using the Safari browser but will also harvest email data such as addresses and login/password combos. Oh, spyPhone also demonstrates with consummate ease how a malicious app can be used as a keylogger by accessing the iPhone keyboard cache and will even find your photos that are tagged with geo location data.

Of course, unless we are talking about the security risk to Jailbroken iPhones (and we are not in this instance) for such an app to be of any danger to the iPhone using public then it would first have to gain App Store approval. Which does, of course, up the ante for the bad guy. Developers have to register with Apple in order to get as far as submitting an app for consideration, but given the data gold mine out there it is surely only a matter of time before the bad guys decide the risk is worth the return. Heck, the bad guys are already well placed to set up false accounts with perfectly genuine looking references and contact details after all.

But what of that approval process itself, wouldn't that catch any spyware app and shoot it in the head? Well you'd like to think so, but it seems that not everyone is convinced. Seriot himself has warned that although Apple does look for undocumented function calls and malware, it's only a matter of time before some malware slips through the net given the sheer volume of apps being scrutinised. Indeed, with 10,000 or so apps being submitted for review every week, he has a point. Especially given the truly bizarre decisions over which apps are allowed and which are banned in the past. It does tend to suggest that quality control can sometimes take a bit of a wobble, and if that wobble happens when a rogue app is being looked at, well, you can work out the rest. Don't forget that apps previously approved have already been pulled from the App Store at a later date after complaints about data harvesting, so the precedent has well and truly been set already.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

1
Contributor
0
Replies
1
Views
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.