Apple SDK release unlocks iPhone security issues
In a prepared statement released Wednesday on Apple's website, Chief Executive Officer Steve Jobs said the SDK will reach developers after the New Year.
"Let me just say it: We want native third-party applications on the iPhone, and we plan to have an SDK in developers' hands in February,” he said.
He said it will take Apple take that long to develop the SDK "because we're trying to do two diametrically opposed things at once -- provide an advanced and open platform to developers while at the same time protect iPhone users from viruses, malware, privacy attacks, etc. This is no easy task.”
The SDK will allow third-party developers to create applications that run on the iPhone without manipulating a vulnerability in the iPhone's Mac OS code. Doing so can lead to considerable security issues, said noted hacker H.D. Moore.
“Using a security vulnerability to enable third-party development is nothing new, but in the case of iPhone, this can be a problem," he said last week in a blog post, one in a series about the iPhone, noting that such a strategy opens the device to malicious users as well as researchers.
The SDK development comes with a caveat, Chris Andrew, vice president of security technologies at security firm Lumension, told SCMagaazineUS.com.
“As long as the [iPhone] is a closed platform, it's not a very big attack target, but once you can get other applications on it, there's potential for exploits, just like those we see for any other platform,” he said. “The Mac OS is one of the more secure operating environments, and [security vulnerabilities on the iPhone] have not been a huge issue so far. But as you open it to developers who will provide a bunch of new applications, any new applications, especially networking applications, can have [the] same kinds of problems we see in desktop software.”
Jobs warned that it's only a matter of time until the iPhone is a target for hackers.
"Some claim that viruses and malware are not a problem on mobile phones -- this is simply not true…There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous. And since the iPhone is the most advanced phone ever, it will be a highly visible target,” he said. "We are working on an advanced system which will offer developers broad access to natively program the iPhone's amazing software platform while at the same time protecting users from malicious programs.”
Some researchers already consider the iPhone to be a security “open hole.” For instance, Moore noted in a recent post that "every process runs as root. MobileSafari, MobileMail, even the calculator, all run with full root privileges [on the iPhone].”
"Any security flaw in any iPhone application can lead to a complete system compromise," said Moore, director of security at BreakingPoint Systems and the developer of the Metasploit vulnerability-testing tool. "A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list and phone hardware. Couple this with 'always-on' internet access and you have a perfect spying device."
Andrew Storms, nCircle security director, told SCMagazineUS.com on Thursday that Apple deserves credit for being forthcoming about security issues.
"We have to applaud Apple's admission that mobile phones are an attack vector for viruses and malware,” he said. “Other mobile phone vendors have not yet admitted this, and these vendors will definitely be behind the curve in protecting their users.
Storms added that Jobs is improving Apple's public stance on security.
"This is also a retraction to prior Apple statements. Jobs has said in the past that because iPhone runs OS X it is inherently secure,” he said. “By making security a priority, Apple is admitting that even OS X can be hacked."