toggle

AAPL Stock: 102.5 ( + 0.25 )

Printed from http://www.macnn.com

App-related bug threatens iPhone security

updated 04:25 pm EST, Tue November 11, 2008

App bug & iPhone security

A bug revealed within the handling of apps on the iPhone could represent a serious security threat, developers claim. The bug is specifically connected to an image file called "Default.png," which is displayed whenever any app is being loaded on an iPhone. While third-party software is limited to a static version of the graphic, Apple's own apps are able to change the file in order to display items such as the date, or a simulated preview. According to developer Patrick Collison, it is possible to fool the iPhone firmware into thinking third-party code should be allowed access to a dynamic PNG file.

The key issue is said to be that in implementing the hack, the iPhone API could be made to think an app comes from a trusted source, and is thereby allowed to access secure areas of the firmware. By linking this with an arbitrary code attack, an iPhone could in theory be made to do virtually anything, a collection of developers is said to be arguing.

It is further worried that a hacker could implement this strategy while bypassing Apple's App Store screening, which has so far been successful in preventing any serious threats. Although much of Apple's efforts appear to be devoted to perceived intellectual property, the company is also invested in technical aspects, such as bugs and abuse of cellular bandwidth.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. lockhartt

    Joined: Dec 1969

    +8

    ?

    This sounds both non-trivial, and unlikely.

    This scenario sound like it would require the app to be distributed ad hoc, which would explicitly limit the threat to begin with.

    Mind you, I'm all for closing off any potential risk... but, as usual on MacNN, the headlines blows this WAY out of proportion.

  1. jhawk95

    Joined: Dec 1969

    +6

    But wait, there's more!

    Developer Patrick Collison has called a news conference for Wednesday, November 12th, where he will not only preview a live demonstration of this possible attack, but will also give details on how EVERY person who owns an iPhone can purchase protection from this possible attack on their phones for the low, low price of just $4.99.

  1. eldarkus

    Joined: Dec 1969

    +3

    could...

    "Could" appears 4 times in this article. and guess what... anything COULD happen folks.

    Correction.. "in theory", anything COULD happen, folks.

  1. macnixer

    Joined: Dec 1969

    +2

    not a real threat

    but percieved that someone at Apple could insert the dynamic png file.

    Moreover social engineering is anyways a scenario that cannot be prevented.

    BTW using the word "hacker" not correct while describing malicious code writer. A "hacker" is a person with extreme programming capabilities directed towards good.

  1. Guest

    Joined: Dec 1969

    -1

    v2.2 fix?

    In 9 days, v2.2 will be released.
    I wonder if this problem will be fixed.

  1. themacjedicali

    Joined: Dec 1969

    -1

    New Guinnea

    PIGS! LOL! Thanks to all the guinnea pigs testing out this phone for me. I wont be able to pay you but I thank you for your time and effort in securing this for both me, and Apple. When I do get an iPhone, hopefully it will be more secure by then! haha just kiddin about the guinnea pig part

  1. sammaffei

    Joined: Dec 1969

    +1

    To themacjedicali

    Playing with daddy's computer again. What a naughty boy...

    Don't you have school or something?

    P.S. By the way, "the prequels" suck. Lucas hasn't done anything good since ROTJ. So there!

  1. themacjedicali

    Joined: Dec 1969

    -1

    New Guinnea

    PIGS! LOL! Thanks to all the guinnea pigs testing out this phone for me. I wont be able to pay you but I thank you for your time and effort in securing this for both me, and Apple. When I do get an iPhone, hopefully it will be more secure by then! haha just kiddin about the guinnea pig part

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Kanex KTU10 Thunderbolt to USB 3.0 and eSATA

Apple has never been shy about funky ports -- first it was Apple Desktop Bus, and its own DIN-8 serial port. Following that came FireW ...

Logitech Hyperion Fury mouse

Selecting the correct gaming mouse comes down to finding a device that balances the needs of a user with a price they can afford. Ofte ...

Life n Soul BM211 Bluetooth speaker

Bluetooth speakers aren't only for listening to some music at the park or on a long bus ride, but can also be built with tablets in m ...

toggle

Most Commented