App-related bug threatens iPhone security
updated 04:25 pm EST, Tue November 11, 2008
App bug & iPhone security
A bug revealed within the handling of apps on the iPhone could represent a serious security threat, developers claim. The bug is specifically connected to an image file called "Default.png," which is displayed whenever any app is being loaded on an iPhone. While third-party software is limited to a static version of the graphic, Apple's own apps are able to change the file in order to display items such as the date, or a simulated preview. According to developer Patrick Collison, it is possible to fool the iPhone firmware into thinking third-party code should be allowed access to a dynamic PNG file.
The key issue is said to be that in implementing the hack, the iPhone API could be made to think an app comes from a trusted source, and is thereby allowed to access secure areas of the firmware. By linking this with an arbitrary code attack, an iPhone could in theory be made to do virtually anything, a collection of developers is said to be arguing.
It is further worried that a hacker could implement this strategy while bypassing Apple's App Store screening, which has so far been successful in preventing any serious threats. Although much of Apple's efforts appear to be devoted to perceived intellectual property, the company is also invested in technical aspects, such as bugs and abuse of cellular bandwidth.
?
11/11, 05:02pm reply
This sounds both non-trivial, and unlikely.
This scenario sound like it would require the app to be distributed ad hoc, which would explicitly limit the threat to begin with.
Mind you, I'm all for closing off any potential risk... but, as usual on MacNN, the headlines blows this WAY out of proportion.
lockhartt
Fresh-Faced Recruit
Joined: Apr 2000
But wait, there's more!
11/11, 06:00pm reply
Developer Patrick Collison has called a news conference for Wednesday, November 12th, where he will not only preview a live demonstration of this possible attack, but will also give details on how EVERY person who owns an iPhone can purchase protection from this possible attack on their phones for the low, low price of just $4.99.
jhawk95
Fresh-Faced Recruit
Joined: Oct 2006
could...
11/11, 06:08pm (1 reply) reply
"Could" appears 4 times in this article. and guess what... anything COULD happen folks.
Correction.. "in theory", anything COULD happen, folks.
eldarkus
Fresh-Faced Recruit
Joined: Feb 2004
not a real threat
11/11, 07:52pm reply
but percieved that someone at Apple could insert the dynamic png file.
Moreover social engineering is anyways a scenario that cannot be prevented.
BTW using the word "hacker" not correct while describing malicious code writer. A "hacker" is a person with extreme programming capabilities directed towards good.
macnixer
Fresh-Faced Recruit
Joined: Mar 2006
v2.2 fix?
11/11, 09:35pm reply
In 9 days, v2.2 will be released.
I wonder if this problem will be fixed.
Guest
Fresh-Faced Recruit
Joined: Nov 1999
New Guinnea
11/12, 01:33am reply
PIGS! LOL! Thanks to all the guinnea pigs testing out this phone for me. I wont be able to pay you but I thank you for your time and effort in securing this for both me, and Apple. When I do get an iPhone, hopefully it will be more secure by then! haha just kiddin about the guinnea pig part
themacjedicali
Fresh-Faced Recruit
Joined: Nov 2007
To themacjedicali
11/12, 08:05am reply
Playing with daddy's computer again. What a naughty boy...
Don't you have school or something?
P.S. By the way, "the prequels" suck. Lucas hasn't done anything good since ROTJ. So there!
sammaffei
Fresh-Faced Recruit
Joined: Sep 2004
New Guinnea
11/13, 01:42am reply
PIGS! LOL! Thanks to all the guinnea pigs testing out this phone for me. I wont be able to pay you but I thank you for your time and effort in securing this for both me, and Apple. When I do get an iPhone, hopefully it will be more secure by then! haha just kiddin about the guinnea pig part
themacjedicali
Fresh-Faced Recruit
Joined: Nov 2007