AAPL Stock: 117.81 ( -0.22 )

Printed from

Researcher challenges Apple on iPhone bugs

updated 09:50 am EDT, Fri October 3, 2008

Aviv Raff on iPhone bugs

Apple has been neglectful in addressing a pair of bugs in the iPhone's operating system, an Israeli researcher claims. Aviv Raff explains that as early as July he warned Apple about problems in Mail and Safari, each representing a possible security threat. Although three separate firmware updates have since been released for the iPhone 3G, Raff notes that Apple has not bothered to address his concerns, even after continual pressure for a timetable.

As a result, he has decided to publish the details of the iPhone vulnerabilities on his own. The first is based on the manner in which the iPhone truncates URLs; because the iPhone has such a small display, it is necessary to display only part of a URL for many given links. The section being cut off can be critical to determining legitimacy, however, and so it is possible to create plausible URLs which nevertheless take people to dangerous websites. URLs can be examined in Safari, but the OS makes this difficult by jumping to the end of an address.

A problem unique to Mail stems from image attachments. Because there is no option to disable downloading attachments automatically, images can be used to gauge whether an e-mail address is active; once this is verified, a spammer can use the information to direct more messages at a target. Raff comments that both this and the URL bug should be easy to fix, which leads him to wonder why Apple has not done anything sooner.

by MacNN Staff



  1. Guest

    Joined: Dec 1969


    Aviv Raff

    is a needy, whiney, look I'm pathetic, researcher.

  1. ezylstra

    Joined: Dec 1969


    Not BUGS, Design Choices

    1. URL issue
      Alternative is to show the whole URL all the time? Take up to half the screen to do so? Sounds like a UI design choice. The paranoid user can inspect the whole URL by holding their finger on the URL, then scanning it with the finger magnification tool.

      2. Image issue
      Alternative is to load place-holder for image with "download images" button at top of message window? Again, a kind of sucky UI choice.

      BOTH issues are design choices, NOT bugs.

  1. jmonty12

    Joined: Dec 1969



    Yeah, because these two "bugs" are definitely the most important iPhone issues for Apple to work on.

  1. khiltd

    Joined: Dec 1969



    Hey look a guy who uses Comic Sans on his boxy little blog let's all ask him what he thinks about UI design.

  1. sporobolus

    Joined: Dec 1969


    important, but not news

    interesting to note that two out of four comments above resort to ridicule, and people have actually thumbsed-up one ... perhaps it has been difficult, as another comment implies, for Apple to really polish the iPhone apps, and this is irking some users

    these two issues (which have been discussed before this "revelation") are fairly different, but both are important

    the URL issue is one that should be fixed, but the fix will be hard within the expectations of "simplicity" Apple has set; instead of Apple complicating the UI, users have to complicate their behavior by being extremely cautious when following links to sites that ask for personal information

    the email display issue is a more critical flaw to those of us who still care about spam and trackers; Apple's desktop Mail is much more protective in this area, but in the name of simplification, i guess, the iPhone ignores the issue; perhaps Apple deems its market largely complacent (or ignorant) about the email tracking scourge

    personally, as someone preparing to purchase an iPhone, i would rather just have a plain text option; barring that, i hope the email client will gain an option like the desktop version's, or that that Apple will allow competitive email systems, because otherwise i won't be comfortable using the iPhone for email without filtering it before it reaches the phone -- filtering not just spam, but also all the Constant Contact, silverPOP, Eloqua, Convio, etc. emails (just a few example pulled from my recent inbox)

  1. ender

    Joined: Dec 1969



    I wouldn't consider the URL issue a bug. Simply a limitation. Besides, without Java, Flash, DirectX, etc, to compromise security (and you can't download applications via Safari on the iPhone), how serious a threat is this?

    The Email issue, while not a programming bug, is a very poor design choice. Every email program I've used since Claris Emailer a decade ago had the option to not auto-display images. I've had a few instances when I've viewed images on a spam email and was then flooded with far more spam than normal for the next few weeks.

  1. testudo

    Joined: Dec 1969


    Re: bugs

    Most phishing sites and the such don't use flash, directx (does any site use directx? Or did you throw this in here as a way to blame MS?). That's the whole point.

    Though the issue would be neglible if they could come up with a way to easily verify the domain that's being displayed, which is his point.

    As for the email, you'd think ATT would have demanded this option so they could save bandwidth of all things.

    And, ezylstra, while they may be design choices, remember that the main reason ActiveX and IE are such security nightmares is because of design decisions. Thus, saying it is by 'design' means nothing. It still means its an issue. (And you can't be sure the URL issue is 'by design' or just how it works. There is a difference).

  1. Guest

    Joined: Dec 1969


    Mac user

    I am an iPhone and Mac user. Still, if there is a flaw in Apple products, we need to admit it. It will help Apple to make them better. Bashing someone who honestly speaks to Apple how to improve their software, is nothing but trolling. Unfortunately, the most recent Apple products are of much worse quality than they used to be. I understand that Apple is in the business of making money rather than making their customers happy. Still, they need to reset their priorities appropriately to improve quality.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented