11/11/2008, 4:25pm, EST
Tuesday, November 11th
App-related bug threatens iPhone security
A bug revealed within the handling of apps on the iPhone could represent a serious security threat, developers claim. The bug is specifically connected to an image file called "Default.png," which is displayed whenever any app is being loaded on an iPhone. While third-party software is limited to a static version of the graphic, Apple's own apps are able to change the file in order to display items such as the date, or a simulated preview. According to developer Patrick Collison, it is possible to fool the iPhone firmware into thinking third-party code should be allowed access to a dynamic PNG file.
The key issue is said to be that in implementing the hack, the iPhone API could be made to think an app comes from a trusted source, and is thereby allowed to access secure areas of the firmware. By linking this with an arbitrary code attack, an iPhone could in theory be made to do virtually anything, a collection of developers is said to be arguing.
It is further worried that a hacker could implement this strategy while bypassing Apple's App Store screening, which has so far been successful in preventing any serious threats. Although much of Apple's efforts appear to be devoted to perceived intellectual property, the company is also invested in technical aspects, such as bugs and abuse of cellular bandwidth.
Filed under: iPhone, security, iPhone apps
Other story tags: App Store
, 
, 8
, 
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
?
This sounds both non-trivial, and unlikely.
This scenario sound like it would require the app to be distributed ad hoc, which would explicitly limit the threat to begin with.
Mind you, I'm all for closing off any potential risk... but, as usual on MacNN, the headlines blows this WAY out of proportion.
But wait, there's more!
Developer Patrick Collison has called a news conference for Wednesday, November 12th, where he will not only preview a live demonstration of this possible attack, but will also give details on how EVERY person who owns an iPhone can purchase protection from this possible attack on their phones for the low, low price of just $4.99.
could...
"Could" appears 4 times in this article. and guess what... anything COULD happen folks.
Correction.. "in theory", anything COULD happen, folks.
not a real threat
but percieved that someone at Apple could insert the dynamic png file.
Moreover social engineering is anyways a scenario that cannot be prevented.
BTW using the word "hacker" not correct while describing malicious code writer. A "hacker" is a person with extreme programming capabilities directed towards good.
v2.2 fix?
In 9 days, v2.2 will be released.
I wonder if this problem will be fixed.
New Guinnea
PIGS! LOL! Thanks to all the guinnea pigs testing out this phone for me. I wont be able to pay you but I thank you for your time and effort in securing this for both me, and Apple. When I do get an iPhone, hopefully it will be more secure by then! haha just kiddin about the guinnea pig part
To themacjedicali
Playing with daddy's computer again. What a naughty boy...
Don't you have school or something?
P.S. By the way, "the prequels" suck. Lucas hasn't done anything good since ROTJ. So there!
New Guinnea
PIGS! LOL! Thanks to all the guinnea pigs testing out this phone for me. I wont be able to pay you but I thank you for your time and effort in securing this for both me, and Apple. When I do get an iPhone, hopefully it will be more secure by then! haha just kiddin about the guinnea pig part